3

I have a MVC 4 Web Application where I am requiring SSL for a specific set of Actions and now I'd like that also the Login process is protected by SSL.

After setting everything up, what happens is that, since the redirectToUrl parameter of the Login page is not specifying the schema, all the pages requiring login get redirected to https, regardless the [RequireHttps] attribute I have set (or better to say not set) on the Actions.

Since the pages I have not decorated with the RequireHttps attribute host mixed content, this is triggering the usual browser warnings, which is confusing for the user and I'd like to avoid.

Is there a way to fix this issue? I thought of getting the schema from the login action, but I could not find a reference to the original request apart from the returnUrl parameter which is just a relative path.

The reference I have found in SO is creating a custom attribute to decorate every Action not requiring https, but is there anything more DRY than this?

Community
  • 1
  • 1
eddo
  • 2,094
  • 1
  • 25
  • 31
  • well, to avoid repeating a HttpsNotRequired attribute I could use it to decorate a base controller, still wondering if there is a neater solution though. – eddo May 27 '12 at 13:29

2 Answers2

2

I've found the following useful, rather than decorating with [RequireHttps] I decorate with [Secure] and then this attribute does the work for me.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Mvc;

namespace MyNameSpace.Attributes
{
    public class SecureAttribute : ActionFilterAttribute
    {
        #region Variables and Properties
        public bool PermanentRedirect { get; set; }
        #endregion

        #region Public Methods
        public override void OnActionExecuting(ActionExecutingContext filterContext)
        {
            // Cache for efficiency
            var request = filterContext.HttpContext.Request;
            var response = filterContext.HttpContext.Response;

            // Make sure we're not in https or local
            if (!request.IsSecureConnection)
            {
                string redirectUrl = request.Url.ToString().Replace(
                    Uri.UriSchemeHttp,
                    Uri.UriSchemeHttps);

                if (PermanentRedirect)
                {
                    // Set the status code and text description to redirect permanently
                    response.StatusCode = 301;
                    response.StatusDescription = "Moved Permanently";
                }
                else
                {
                    // Set the status code and text description to redirect temporary (found)
                    response.StatusCode = 302;
                    response.StatusDescription = "Found";
                }

                // Add the location header to do the redirect
                response.AddHeader("Location", redirectUrl);
            }

            base.OnActionExecuting(filterContext);
        }
        #endregion
    }
}
James Woodley
  • 501
  • 1
  • 4
  • 18
  • Well, I take it I should use this attribute to decorate the Login Action. Unfortunately it seems it does not help- after login the pages are still redirected to the https. Not sure if I am using it as you intend it, in case pls clarify.. – eddo May 27 '12 at 13:14
  • You may need a module that detects whether the user is logged in. If so keeps them in https, if not redirects them to http. If the user is logged in I'd imaging you want them kept in https to protect future requests? Or do you want everything redirected to http once the login has completed? – James Woodley May 29 '12 at 09:02
2

Well, I finally opted for the solution described in the comments to my original post, which proved the most painless approach.

Just to summarize (all the credit to Luke Sampsons for the code, I am just reposting here for quick reference) this is basically the code:

public class ExitHttpsIfNotRequiredAttribute : FilterAttribute, IAuthorizationFilter
    {
        public void OnAuthorization(AuthorizationContext filterContext)
        {
            // abort if it's not a secure connection
            if (!filterContext.HttpContext.Request.IsSecureConnection) return;

            // abort if a [RequireHttps] attribute is applied to controller or action
            if (filterContext.ActionDescriptor.ControllerDescriptor.GetCustomAttributes(typeof(RequireHttpsAttribute), true).Length > 0) return;
            if (filterContext.ActionDescriptor.GetCustomAttributes(typeof(RequireHttpsAttribute), true).Length > 0) return;

            // abort if a [RetainHttps] attribute is applied to controller or action
            if (filterContext.ActionDescriptor.ControllerDescriptor.GetCustomAttributes(typeof(RetainHttpsAttribute), true).Length > 0) return;
            if (filterContext.ActionDescriptor.GetCustomAttributes(typeof(RetainHttpsAttribute), true).Length > 0) return;

            // abort if it's not a GET request - we don't want to be redirecting on a form post
            if (!String.Equals(filterContext.HttpContext.Request.HttpMethod, "GET", StringComparison.OrdinalIgnoreCase)) return;

            // redirect to HTTP
            string url = "http://" + filterContext.HttpContext.Request.Url.Host + filterContext.HttpContext.Request.RawUrl;
            filterContext.Result = new RedirectResult(url);
        }
    }
    public  class RetainHttpsAttribute:FilterAttribute{}

The ExitHttpsIfNotRequired attribute can be used to decorate a base controller class used to derive all the controllers in the Web Application.

eddo
  • 2,094
  • 1
  • 25
  • 31