SSL pages under ASP.NET MVC
Solution 1
If you are using ASP.NET MVC 2 Preview 2 or higher, you can now simply use:
[RequireHttps]
public ActionResult Login()
{
return View();
}
Though, the order parameter is worth noting, as mentioned here.
Solution 2
MVCFutures has a 'RequireSSL' attribute.
(thanks Adam for pointing that out in your updated blogpost)
Just apply it to your action method, with 'Redirect=true' if you want an http:// request to automatically become https:// :
[RequireSsl(Redirect = true)]
See also: ASP.NET MVC RequireHttps in Production Only
Solution 3
As Amadiere wrote, [RequireHttps] works great in MVC 2 for entering HTTPS. But if you only want to use HTTPS for some pages as you said, MVC 2 doesn't give you any love - once it switches a user to HTTPS they're stuck there until you manually redirect them.
The approach I used is to use another custom attribute, [ExitHttpsIfNotRequired]. When attached to a controller or action this will redirect to HTTP if:
- The request was HTTPS
- The [RequireHttps] attribute wasn't applied to the action (or controller)
- The request was a GET (redirecting a POST would lead to all sorts of trouble).
It's a bit too big to post here, but you can see the code here plus some additional details.
Solution 4
Here's a recent post from Dan Wahlin on this:
http://weblogs.asp.net/dwahlin/archive/2009/08/25/requiring-ssl-for-asp-net-mvc-controllers.aspx
He uses an ActionFilter Attribute.
Solution 5
Some ActionLink extensions: http://www.squaredroot.com/post/2008/06/11/MVC-and-SSL.aspx Or an controller action attribute that redirects to https:// http://forums.asp.net/p/1260198/2358380.aspx#2358380
Related videos on Youtube
David Laing
I build cool stuff, well. I’m passionate about the craft of software development; and web based businesses. I enjoy reading science fiction (specifically Sagan, Gaiman & Brin). I play the guitar (poorly, but with enthusiasm). I enjoy vegetable gardening, travelling, skiing & yoga. See davidlaing.com/about for details
Updated on July 05, 2022Comments
-
David Laing almost 2 years
How do I go about using HTTPS for some of the pages in my ASP.NET MVC based site?
Steve Sanderson has a pretty good tutorial on how to do this in a DRY way on Preview 4 at:
http://blog.codeville.net/2008/08/05/adding-httpsssl-support-to-aspnet-mvc-routing/
Is there a better / updated way with Preview 5?,
-
RickAndMSFT about 10 yearsThis is very dated. For MVC4 and higher, see my blog post blogs.msdn.com/b/rickandy/archive/2012/03/23/…
-
-
aruno almost 15 yearsmake sure you see the follow post he wrote himself : blog.salvoz.com/2009/04/25/…
-
royco over 14 yearsThis looks to be the best way at the moment.
-
ArpitM over 14 yearsWould I have to subclass it in order to handle localhost requests?
-
aruno over 14 yearsone way is to create a certificate for your local machine and use that. i think to completely disable it for localhost you would indeed need to subclass or duplicate the code. not sure what the recommended approach is
-
ArpitM over 14 yearsLooks like it's sealed so I'd need to dupe the code. Bummer. The certificate for the local machine would only work in IIS though right, not the dev web server.
-
aruno over 14 years@mr rogers - take a look at this : stackoverflow.com/questions/1639707/…
-
heisenberg almost 14 years+1 a year later as the isLocal call helped me resolve an issue that was becoming a real pain in the @@@
-
ashes999 over 13 yearsYou can also do this on the controller level. Better yet, if you want the entire application to be SSL, you can create a base controller, extend it for all controllers, and apply the attribute there.
-
GraemeMiller about 11 yearsAlternatively you can add it is a global filter MVC3 in Global.asax GlobalFilters.Filters.Add(new RequireHttpsAttribute());
-
Serj Sagan over 10 yearsI think most people would disagree with you on this one, though providing an alternate way is always useful...
-
RickAndMSFT about 10 yearsNo guaranteed other developers will use your derived controller. You can make one call to force HTTPS - see my blog post blogs.msdn.com/b/rickandy/archive/2012/03/23/…
-
RickAndMSFT about 10 yearsUpdating this to MVC4+ see my blog post blogs.msdn.com/b/rickandy/archive/2012/03/23/…
-
RickAndMSFT about 10 yearsAllowAnonymous fixes that. For MVC4 and higher, see my blog post blogs.msdn.com/b/rickandy/archive/2012/03/23/…
-
RickAndMSFT about 10 yearsThe above is dated, For MVC4 and higher, see my blog post blogs.msdn.com/b/rickandy/archive/2012/03/23/…