Contents tagged with HTTPS
-
Binding multiple websites to HTTPS on your development machine
On your development machine you can use host headers to bind to different websites within IIS, allowing you to host multiple websites on a single development machine (you can do this too in production but this article is focusing on the development environment).
Host headers work only with HTTP since IIS is not able to see the host header information in an HTTPS request until it reaches the website so it would not know which site to bind to. For this reason, IIS does not allow you to specify a host header when setting up an HTTPS binding:
When you select the Binding Type of HTTPS, then the Host name box is disabled.
You then have two other choices to allow multiple websites on your development IIS environment to both run with HTTPS. You can either vary the Port or the IP Address between the two. Changing the Port is not desirable because this would usually mean extra code to make sure a special port number was used in requests (and then would not match a production environment). So this leaves you with IP address.
Most development machines have only a single network card and therefore, by default, a single IP address. So only having one IP address will not help you run more than one site under SSL.
But hidden within the Network Connection properties dialog is a way to specify a second (or third) IP address for your development machine; which is exactly what is needed to allow multiple websites to use SSL on your development machine.
Go to Control Panel > Network and Sharing Center > Change adapter settings (or just get to the properties of your Network Adapter).
Here is where you will see the primary IP address for your machine (either it will be as above if you have a static IP address, or more likely you have a dynamic IP address and then both of the Obtain IP address and DNS server automatically options will be selected. But there is a way to add a second (or third) IP address. Just click that Advanced button in the lower right.
Now click the Add… button where you will be able to add a static IP address (you will need a static IP address to be able to do this).
OK your way out and now your machine will have two IP addresses.
Returning back to the IIS Add Site Binding dialog and now in the IP Address drop down you will see your second IP address (or in the case of the screenshot below a third too).
Just choose one of these IP addresses for one site and the other for the other site that you also want to allow HTTPS (SSL) requests on.
Now there is one last thing to take care of and that is to make sure the request to this site is resolving to the correct IP address. In most cases, if you are using host headers to host multiple websites on your development machine, then you have entered entries into your Hosts file using the local loopback IP address 127.0.0.1. But now you will need to make sure you change these to the IP addresses that you specified for that particular website.
You can confirm that the host header is resolving to the correct IP address by pinging that host header.
Technorati Tags: Binding multiple websites to HTTPS on your development machine -
How to switch between HTTP and HTTPS in ASP.NET MVC2
ASP.NET MVC2 has the new RequireHttpsAttribute that you can use to decorate any action to force any non-secure request to come through HTTPS (SSL). It can be used as simply as this:
[RequireHttps]
public ActionResult LogOn()
{
.....
}Now any request to the LogOn action that is not over HTTPS will automatically be redirected back to itself over HTTPS. This is very useful and easy to implement.
Unfortunately though, once the scheme is changed to HTTPS, all following requests will also be under HTTPS, which is not necessarily what you want. In most cases you do not need all requests to your site to be secure but only certain ones such as the logon page or pages that accept credit card information.
To handle this you can override the Controller.OnAuthorization method. From within this method, you can check to see if the RequireHttps attribute is set on the Controller Action by searching the Attributes collection of the ActionDescriptor object. If the RequireHttpsAttribute is not set AND the request is under SSL, then return a redirect result to the HTTP (non-SSL) url:
public class ControllerBase : Controller
{protected override void OnAuthorization(AuthorizationContext filterContext)
{//the RequireHttpsAttribute set on the Controller Action will handle redirecting to Https.
// We just need to handle any requests that are already under SSL but should not be.
if (Request.IsSecureConnection)
{
Boolean requireHttps = false;
requireHttps = filterContext.ActionDescriptor.GetCustomAttributes(typeof(RequireHttpsAttribute), false).Count() >= 1;
//If this request is under ssl but yet the controller action
// does not require it, then redirect to the http version.
if (!requireHttps && !filterContext.IsChildAction)
{
UriBuilder uriBuilder = new UriBuilder(Request.Url);
//change the scheme
uriBuilder.Scheme = "http";
uriBuilder.Port = 80;
filterContext.Result = this.Redirect(uriBuilder.Uri.AbsoluteUri);
}
}
base.OnAuthorization(filterContext);
}}
Now any HTTPS requests to controller actions that are not decorated with a RequireHttps attribute will be forced back to an HTTP (non-secure) request.
EDITED (2010-08-21): Modified the code as recommended by the comment from Donnie Hale to move the check for Request.SecureConnection to the outermost if block.
EDITED (2011-01-06): Modified the code as recommended by the comment from Sergio Tai to not perform this check if use Html.Action in views
