A couple of weeks ago I showed an easy way to redirect from HTTP to HTTPS.
Fosiul raised the issue that once you redirect to HTTPS all the pages become secure even the ones we do not need to be secure.
This can lead to some problems like adding additional stress on the web server machine.
To solve this problem we should be able to switch from https to http when ever we detect a page where we do not need secure communications.
One way to do that is to have a function that knows to switch both ways.
Example:
// set protocol to secure or unsecured according to bSecure flag.
// bSecure flag = true -> secure connection
// bSecure flag = false -> unsecured connection
public void setSecureProtocol(bool bSecure)
{
string redirectUrl = null;
// if we want HTTPS and it is currently HTTP
if (bSecure && !Request.IsSecureConnection) redirectUrl = Request.Url.ToString().Replace("http:", "https:");
else
// if we want HTTP and it is currently HTTPS
if (!bSecure && Request.IsSecureConnection) redirectUrl = Request.Url.ToString().Replace("https:", "http:");
//else
// in all other cases we don't need to redirect
// check if we need to redirect, and if so use redirectUrl to do the job
if(redirectUrl!=null)
Response.Redirect(redirectUrl);
}
One way to use the above function is in the page load handler of pages where a transition to or from HTTP or HTTPS should occur.
Putting the function call in the page load handler would make sure that a transition from secure to non secure and vice versa would occur before the rest of the page gets rendered.
Example:
protected void Page_Load(object sender, EventArgs e)
{
// set to HTTPS secure protocol
setSecureProtocol(true);
/// rest of code goes here
/// we will only reach this code in secure mode
}
If you want to be fancier you can use a custom HTTP module to detect and redirect using a variant of the setSecureProtocol function.
Example:
/// <summary>
/// HttpToHttpsRedirector - an http module to detect and redirect from http to https and vice versa
/// </summary>
public class HttpToHttpsRedirector: IHttpModule
{
public void Init(HttpApplication context)
{
context.BeginRequest += new System.EventHandler(Application_BeginRequest);
}
// your BeginRequest event handler.
private void Application_BeginRequest(Object source, EventArgs e)
{
HttpApplication application = (HttpApplication)source;
HttpContext context = application.Context;
// This is where your web site logic should decide if to redirect to http/https.
// The example code below always redirects to https!!!
if (true) setSecureProtocol(context, true);
}
public void Dispose()
{
}
// utility functions
// set protocol to secure or unsecure acording to bSecure flag.
// bSecure flag = true -> secure connection
// bSecure flag = false -> unsecure connection
public void setSecureProtocol(HttpContext context, bool bSecure)
{
string redirectUrl = null;
// if we want HTTPS and it is currently HTTP
if (bSecure && !context.Request.IsSecureConnection) redirectUrl = context.Request.Url.ToString().Replace("http:", "https:");
else
// if we want HTTP and it is currently HTTPS
if (!bSecure && context.Request.IsSecureConnection) redirectUrl = context.Request.Url.ToString().Replace("https:", "http:");
//else
// in all other cases we don't need to redirect
// check if we need to redirect, and if so use redirectUrl to do the job
if (redirectUrl != null)
context.Response.Redirect(redirectUrl);
}
}
Good luck!
Subscribe