I am trying to redirect from secure (https) to http when user login. It redirects fine but for some reason its keeping the https.
Response.Redirect(RedirectPath) RedirectPath contains fully qualified URL including http.
for example RedirectPath = "http://www.mydomain.com"
but it redirects to the https://www.mydomain.com
I redirect by running the following on Page_Load:
protected void Page_Load(object sender, EventArgs e) { if (!IsPostBack) { if (!Request.IsLocal && !Request.IsSecureConnection) { var ub = new UriBuilder(Request.Url); ub.Scheme = Uri.UriSchemeHttps; ub.Port = -1; // use default port for scheme Response.Redirect(ub.Uri.ToString(), true); return; } } } You can similarly go from https to http by setting the Scheme to UriSchemeHttp if IsSecureConnection is true.
AddQueryString(string key, string value) which could handle the whole "is there already a query string set, in which case I'll append with & otherwise I'll use ?".
Here's my 2 cents...
Make a simple attribute class like this:
public class ForceSSL : System.Attribute{ public bool Enabled; public ForceSSL(bool _enabled) Enabled = _enabled; } Next, create a base class for your page(s) to inherit from. Inside the base class override the OnPreInit event as such (building from the example above @ Druid):
protected override void OnPreInit(EventArgs e) { if (!Request.IsSecureConnection) { var _sslAttr = this.GetType().GetCustomAttributes(true).Where(at => (at as ForceSSL) != null).FirstOrDefault(); if (_sslAttr != null) { if ((_sslAttr as ForceSSL).Enabled) { var ub = new UriBuilder(Request.Url); ub.Scheme = Uri.UriSchemeHttps; ub.Port = -1; Response.Redirect(ub.Uri.ToString(), true); return; } } } base.OnPreInit(e); } Now just make your pages inherit from your base class and place the attribute [ForceSSL(true)] at the top of each page that you want to access via SSL.
Can I suggest that you take a look at the requests with a tool such as Fiddler, to see where these redirects are coming from, and indeed to confirm that RedirectPath is indeed fully qualified?
You should be able to confirm that the credentials are being sent over HTTPS, and that you are then redirected (using a 302) to HTTP. If you're redirected to HTTPS, then it's likely that you're not setting the fully qualified domain.
The other alternative is that you are indeed redirecting to an HTTP page, but there's something else that's then forcing the user back to HTTPS - for example the mechanism that forced the user to HTTPS for the login - is this a per page or per directory setting? In which case you'd see a 302 to HTTP, followed by another 302 to HTTPS.
disclaimer - I was involved in the development of this project
I would recommend using http://nuget.org/packages/SecurePages/ It gives you the ability to secure specific pages or use Regex to define matches. It will also force all pages not matching the Regex or directly specified back to HTTP.
You can install it via NuGet: Install-Package SecurePages
Docs are here: https://github.com/webadvanced/Secure-Page-manager-for-asp.net#secure-pages
Simple Usage:
SecurePagesConfiguration.Urls.AddUrl("/cart"); or
SecurePagesConfiguration.Urls.AddRegex(@"(.*)account", RegexOptions.IgnoreCase | RegexOptions.Compiled | RegexOptions.Singleline); I'm experiencing the same issue and in my case it's definitely being rewritten by the load balancer. We're using an Equalizer from CoyotePoint. I just read the following in the manual:
In a Layer 7 HTTPS cluster, clients connect to the cluster IP using HTTPS connections. Equalizer terminates the HTTPS connection and communicates with the servers in the cluster using the HTTP protocol. By default, Equalizer examines server responses for http:// URLs and rewrites them as https:// URLs, so that these URLs work properly on the client. If, for example, a server sends an HTTP redirect using the Location: header, this URL most likely will include the http:// protocol. Equalizer rewrites this response so that the URL uses https://.
Apparently, I can disable "no header rewrite" to correct it.
