Home > Uncategorized > Automatic redirection from Http to Https and vise versa using relative urls in asp.net

Automatic redirection from Http to Https and vise versa using relative urls in asp.net

A very nice contorl/project (recommend by my Chief Architect) for a very common problem which we all face when we need to secure only specific pages. Below is the link.

http://code.google.com/p/securityswitch/

I applied this in my production environment and it is working perfectly. All related issues are solvable/configurable.

Some useful email exchanges between me and Matt(the guy who made this) are added below as comments.

Let me summarize the steps (If your using Visual Studio 2010)

  1. Install-Package SecuritySwitch from VS > Tool > Extension Manager > Search “SecuritySwitch” install it, more details can be found on http://nuget.org/packages/SecuritySwitch.
  2. Above step set-up every thing for you for your development environment. (Put some attributes in you web.config, add some dlls etc)
  3. Now you need to specify your secure pages in web.config inside securitySwitch>paths>
  4. These are important attributes mode=”" baseInsecureUri=”" baseSecureUri=”"
  5. For the staging or production deployment please go through with the below comments.

Comments:1

Leave a Reply
  1. Reply admin 12/02/17

    Shoaib Azeem
    Feb 1

    to ventaur
    Hi,

    In my development environment I am successfully able to redirect the pages. In my development environment I install the package and it did everything for me.

    When I am trying to check these updates in my staging environment I am not getting the desired results. As I cannot run the package in my staging environment, so I deploy the below things in my staging environment;
    Web.config changes
    packages.config file
    SecuritySwitch-v4.xsd file
    SecuritySwitch.dll (with refresh) files
    Common.Logging.dll (with refresh) files
    Please guide if I am missing anything.

    I highly appreciate your response.

    Regards

    Shoaib

    =======================================================

    Matt Sollars
    Feb 4

    to me
    Hello Shoaib,

    I’d be glad to assist your deployment to staging.

    First, the only files you should need to worry about for deployment are:
    Web.config (properly configured for the module)
    SecuritySwitch-v4.xsd
    SecuritySwitch.dll (in the bin folder of your site)
    Common.Logging.dll (in the bin folder of your site)
    You do not need the packages.config file or any of the refresh files; they are just for Visual Studio during development. Please, refer to the Getting Started wiki page for help on configuring the module manually (which is likely what you will have to do to deploy to staging).

    If you still have problems after following the steps on that page, please let me know what error message you are getting and I can try to help further.

    Regards,

    -Matt

    =======================================================

    Feb 4
    Hi Matt,

    Thank you very much. A tag is missing in my staging environment web.config. It works fine after fixing that, some security warning are still coming in IE, I will check the other properties to fix this issue.

    One question, we are not marking the secure checkbox in IIS on individaul pages, what do you think any hacker can exploit this?

    By the way you project is great and resolve a very common problem which we all face when we need to apply ssl on selected pages.

    Regards
    Shoaib

    =======================================================

    Matt Sollars
    Feb 5

    to me
    Shoaib,

    You’re welcome. I’m glad you got it worked out.

    Are you referring to the “Require SSL” check box in IIS or something else? If you mean the “Require SSL” check box, that tells IIS to refuse connections that are requested via HTTP. Unfortunately, this forces your users to type “https://” into their browser and may cause them to abandon your site. The only way to allow less savvy users to get to your site then, is to allow HTTP (or not require SSL), then redirect them (via this module for example).

    I do not see this as a hacker loophole either. If a hacker ignores the redirect (code 301 or 302) your server sends back to their request, it will do them no good still. Your server will continue to respond to insecure requests that you have configured to be secure with a redirect code. There is nothing such a hacker can do about that from afar. By that, I mean they would have to break into your actual server, not just the website.

    Thank you for the feedback. It’s people like you that give me motivation to keep the project alive and add new features.

    Regards,

    -Matt

    =======================================================

    Feb 11
    Hi Matt,

    Sorry to bother you again. I have applied your solution in my productions environment and it is working perfectly in terms of http to https and wise versa redirections. But I am having issue that “Not all the content on this page is secure”. I check with “Fiddler” it shows that the images are not secured. I am securing one of my content page which is under nested master page. Below is my web.config setting, I have tried with security attribute with “Insecure” and “Secure” values. Screenshots are also attached.

    < securitySwitch mode="On" baseInsecureUri="http://www.test.com" baseSecureUri="https://www.test.com" xmlns="http://SecuritySwitch-v4.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="SecuritySwitch-v4.xsd" >
    < paths >

    < add path="~/ManagePaymentInfo.aspx" security="Secure" />
    < add path="~/ReviewPay.aspx" />

    < /paths >
    < /securitySwitch >

    Regards
    Shoaib

    =======================================================
    On Sun, Feb 12
    Hi again, Shoaib.

    You’ll need to instruct the module to ignore your static assets. What’s happening is, you’ve got ManagePaymentInfo.aspx secured, so when a request comes through that is insecure, the module redirects the browser to HTTPS. Then, the browser makes all relative path file requests via the same protocol (HTTPS). So, an image request comes to the server as HTTPS, but the module does not find any entry for the image (or the folder it’s in), so it assumes it should be insecure. Therefore, it redirects the browser to HTTP for that image (and others, including CSS files).

    I suggest you add new path entries for all your images and CSS paths and set those paths’ security to “Ignore”.

    < add path=”~/Images” security=”Ignore” / >
    < add path=”~/Styles” security=”Ignore” / >

    Or, if all your images and styles, etc. are under a single folder, you could do this:

    < add path=”~/Media” security=”Ignore” / >

    Regards,

    -Matt

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">

TOP