There are a few ways to redirect from http to https in asp.net, but I wanted a somewhat simple and efficient method. After researching a bit, I could add some code to global.asax, or make my own custom configuration section in the web.config. Well I chose to do a little variation of a "custom" section in the web.config. I don't end up creating a class that inherits from ConfigurationSection, but just a few other things. To create a custom configuration section, here are a few links you may want to look at:
http://www.4guysfromrolla.com/articles/032807-1.aspx
http://msdn.microsoft.com/en-us/library/2tw134k3%28VS.80%29.aspx
Now, here is what I did:
- Add a section in the web.config called <SecurePages>, that mimics the <appSettings> section
- Create a class file SecurePages.cs with two classes in it.
- Add some code to Global.asax
Lets start with what we need to add the the web.config. First, you need to add the following under the <configSectionsGroup>. If you already have code in this section, make sure you don't add it under an existing <sectionGroup>
A few notes here. 1) notice the name attribute and the value called "SecurePages". This is what we are going to call our section (you'll see in a bit), and 2) notice how it is of type System.Configuration.NameValueFileSectionHandler. This is what allows us to mimic the key/value format within our section, like the <appSettings>
The last thing we need to add to our web.config is the new section <SecurePages> with pages and directories we would like secure:
A few notes here. 1) you'll see for the key value we are either putting a directory, or putting a web page name. 2) the value is either "directory" or "page". If the value is "directory" then all requests made to items within that directory are switched to https://. Obviously, if the value is "page" then requests for that page will be switched to https://
Now on to Step 2. Creating a class file called SecurePages.cs with a class named SecurePage and a class named SecurePath in it. Both of these classes will belong in the same file.
The first class we are making in the file is SecurePage with two properties called Path and PathType. Code is below:
The second class we are making reads the values out of the web.config in our section <SecurePages> and stores them in a List<> of type SecurePage. Then sees if the incoming request is in that list to make a switch to https://. Code for this is below:
The final step in the process is to add the code in the global.asax in the Application_BeginRequest method to see if the request coming in should be switched to https:// You'll notice we are calling the static method IsSecure in the class SecurePath from what we created above. You'll also notice the path we are passing in is the AbsolutePath (i.e., /WebForm1.aspx) since that is the type of URL we put in the web.config earlier.
I know this may seem like a lot of trouble to redirect a request from http to https, but once setup it's easy to manage in the web.config. Being able to manage it here allows you not to worry about recompiling the application each time you need to make a change. Also, I know you can do this sort of thing in IIS 7, but this allows a different way of controling it. This may not be the best method for large scale enterprise apps, but when dealing with shared hosting companies (i.e., Go Daddy) you never know how much control you'll get over IIS.
One improvement that can be made to this code is to add this list to the Cache or Session that way it doesn't have to read the web.config on every request.
However, I left that out of this example so that you can modify as needed and not worry about anything else I have put in there.
Either way, questions or comments on how to improve this I would enjoy hearing about. Good luck!
c0a7b315-d229-433c-abcd-ad16cbd47e26|8|3.9
ASP.NET