ASP.NET MVC [RequireHttps] - return to http

Asked 20/2, 2012 at 22:8 Answered 24/11, 2013 at 16:13

Solved asp.net-mvc asp.net-mvc-3 requirehttps

Once you place [RequireHttps] on an action and user switches from HTTP to HTTPS, all subsequent links will stay HTTPS...

Is there a way to switch back to HTTP ?

Dion answered 20/2, 2012 at 22:8 Comment(1)

This can be done with filters. Try searching SO, there are many questions almost exactly the same as yours. – Falgoust 21/2, 2012 at 2:4

Technically, you could do it

You could look at the source of RequireHttpsAttribute and reverse it.

In practice, you probably shouldn't

If the session is still alive, it is generally inadvisable to return to HTTP. This can be the foundation for a variety of attacks, for example, session hijacking.

Dilatation answered 20/2, 2012 at 22:22 Comment(3)

Thanks for all the links - I generally agree with you, but I have a "contact us" page for which I'd like to enforce SSL - the rest of the site is informational. – Dion 20/2, 2012 at 23:9

@Dion No problem. You'll be OK if the rest of the site is only informational, but what do you hope to gain by returning to HTTP? – Dilatation 21/2, 2012 at 15:58

I read somewhere that switching schemes "hurts" SEO. Unfortunately, I don't have link the article anymore, and I am not 100% sure if that is true... – Dion 24/2, 2012 at 16:19

there is a pretty detailed description of how to handle switching from HTTPS back to HTTP for specific action methods at this link

http://blog.clicktricity.com/2010/03/switching-to-https-and-back-to-http-in-asp-net-mvc/

Fasten answered 20/2, 2012 at 22:15 Comment(0)

Here's the 'ExitHttpsIfNotRequired' attribute I use:

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
public class RetainHttpsAttribute : Attribute
{
}

public class ExitHttpsIfNotRequiredAttribute : FilterAttribute, IAuthorizationFilter
{
    public void OnAuthorization(AuthorizationContext filterContext)
    {
        // Abort if it's not a secure connection  
        if (!filterContext.HttpContext.Request.IsSecureConnection) return;

        if (filterContext.ActionDescriptor.ControllerDescriptor.ControllerName == "sdsd") return;

        // Abort if it's a child controller
        if (filterContext.IsChildAction) return;

        // Abort if a [RequireHttps] attribute is applied to controller or action  
        if (filterContext.ActionDescriptor.ControllerDescriptor.GetCustomAttributes(typeof(RequireHttpsAttribute), true).Length > 0) return;
        if (filterContext.ActionDescriptor.GetCustomAttributes(typeof(RequireHttpsAttribute), true).Length > 0) return;

        // Abort if a [RetainHttps] attribute is applied to controller or action  
        if (filterContext.ActionDescriptor.ControllerDescriptor.GetCustomAttributes(typeof(RetainHttpsAttribute), true).Length > 0) return;
        if (filterContext.ActionDescriptor.GetCustomAttributes(typeof(RetainHttpsAttribute), true).Length > 0) return;

        // Abort if it's not a GET request - we don't want to be redirecting on a form post  
        if (!String.Equals(filterContext.HttpContext.Request.HttpMethod, "GET", StringComparison.OrdinalIgnoreCase)) return;

        // Abort if the error controller is being called - we may wish to display the error within a https page
        if (filterContext.ActionDescriptor.ControllerDescriptor.ControllerName == "Error") return;

        // No problems - redirect to HTTP
        string url = "http://" + filterContext.HttpContext.Request.Url.Host + filterContext.HttpContext.Request.RawUrl;
        filterContext.Result = new RedirectResult(url);
    }
}

Miche answered 24/11, 2013 at 16:13 Comment(0)

Recommended topics

Hot tags