I want to purchase the SSL add-on and use the free certificate you provide. There are three scenarios for users of my web sites that I'd like to clarify for use with SSL: 1. Anyone from anywhere can browse my HTML web site content. 2. Registered users that log into my ASP.net app via a login page - http://www.ipalarms.net/login.aspx 3. Remote software applications that make HTTP GET/POST calls to an aspx page that does not require a login. For example, the remote apps might call http://www.ipalarms.net/remoteservice.aspx I assume there is a simple way for me to force all HTTP calls to my login page to use HTTPS. Can you point me to any resources that explain the ways I can do this? Can I do the same for the remote apps calling the remoteservice.aspx page on my site, or will all the remote apps need to be updated to make calls over HTTPS instead of HTTP?
HTTP to HTTPS. I'm not sure on your remote apps. I guess it might depend on how you code them and what you're trying to do?
I use code similar to the following: strURL = "http://ipalarms.net/MyPage.aspx?" strURL += "&SomeParameter=" & "some value" httpRequest = WebRequest.Create(strURL) response = httpRequest.GetResponse() I can change http to https in every application. Would that work, or am I missing something?
I found some old code from when I had looked at using SSL several years back. I think it goes between the Head and Body sections of the login.aspx page: <% Response.Buffer = True If (Request.ServerVariables("HTTPS") = "off") Then Dim xredir__ As String = "" xredir__ = "https://" & Request.ServerVariables("SERVER_NAME") Response.Redirect(xredir__) Endif %> I followed the link in Ray's post and it seems like a more modern approach, however, I don't want my HTML web pages in the root directory forced to HTTPS - I just want the login.aspx and one or two other pages. Can anyone advise how I would restrict HTTPS to login.aspx and other.aspx by modifying the following URL Rewrite code in web.config... <match url="(.*)" /> <conditions> <add input="{HTTPS}" pattern="^OFF$" /> </conditions> <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" />
In general, you can achieve this task by using "Application_BeginRequest" method of Globas.asax file to force all HTTP request protected void Application_BeginRequest(Object sender,EventArgs e) { if(HttpContext.Current.Request.IsSecureConnection.Equals(false)&&HttpContext.Current.Request.IsLocal.Equals(false)) { Response.Redirect("https://"+Request.ServerVariables["HTTP_HOST"]+HttpContext.Current.Request.RawUrl); } } If you want to force a specific page place this piece of code in the page load method if(!Request.IsLocal&&!Request.IsSecureConnection) { string redirectUrl =Request.Url.ToString().Replace("http:","https:"); Response.Redirect(redirectUrl,false); Response.CompleteRequest(); } all the best
