Run only some ASP.NET forms in SSL

Hi experts,

I have an ASP.NET 3.5 (VB.NET) web application on IIS 6.0 which, for the most part, should run in HTTP. However, there are a small amount of forms which I would like to run in HTTPS. I don't want to apply the SSL cert to the whole virtual directory in IIS, but would instead like to pick and choose which forms should always run in SSL.

Any ideas of a simple and clean way of doing this in VB.NET?

Thanks

Jon
LVL 11
Jon WinterburnAsked:
Who is Participating?
 
masterpassConnect With a Mentor Commented:
I think global.asax would be the right place to do some thing like this

first add a key to the web.config

<add key="SecurePages" value="page1.aspx,page2.aspx"/>

then in the Application_BeginRequest of the global.asax, have this
protected void Application_BeginRequest(object sender, EventArgs e)
{
    if (Request.Url.AbsoluteUri.ToLower().Contains(".aspx"))
    {
        Uri url = HttpContext.Current.Request.Url;
        List<string> securePagesList = System.Configuration.ConfigurationSettings.AppSettings["SecurePages"].Split(',').ToList<string>();
        string page = url.Segments[url.Segments.Length - 1].ToLower();
        if (securePagesList.Contains(page))
        {
            if (!Request.IsSecureConnection) 
            {
                Response.Redirect(url.ToString().Replace("http://", "https://"), true);
            }

        }
        else if (Request.IsSecureConnection)
        {
            Response.Redirect(url.ToString().Replace("https://", "http://"), true);
        }
    }
}

Open in new window

0
 
SoLostCommented:
My thinking is that the SSL cert is applied to the entire web site.  Whether you use it on a page or not depends on whether you redirect them to http or https

0
 
masterpassCommented:
Follow what is mentioned in

http://support.microsoft.com/kb/324069

The 8 th point : Click Require secure-channel (SSL) if you want the Web site, folder, or file to require SSL communications. So you can apply it for s single page or folder or for entire site
0
Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

 
Jon WinterburnAuthor Commented:
okay, so if I was to enable SSL on the whole site, how can I redirect certain pages out of https?
0
 
SoLostCommented:
To go in or out of SSL you have to redirect them to the entire URL with http or https on the front.

e.g.  

' Detect if the current page is secure or not and redirect to a non-secure page
If Request.IsSecureConnection = True Then
    ' Page is currently secure, redirect to non-secure site
    Response.Redirect("http://www.mysite.com/somepage.aspx", False)
Else
    ' Page is not secure.  Leave it that way
     Response.Redirect("~/somepage.aspx", False)
End If
0
 
Jon WinterburnAuthor Commented:
masterpass - I have gone with the global.asax idea which looks good. However, when I convert your C# code to VB.NET I get an error on the line:

Dim securePagesList As List(Of String) = System.Configuration.ConfigurationManager.AppSettings("SecurePages").Split(","c).ToList(Of String)()

The error is:
Error 67 Extension method 'Public Function ToList() As System.Collections.Generic.List(Of TSource)' defined in 'System.Linq.Enumerable' is not generic (or has no free type parameters) and so cannot have type arguments.

The converted code is attached.

If Request.Url.AbsoluteUri.ToLower().Contains(".aspx") Then
            Dim url As Uri = HttpContext.Current.Request.Url
            Dim securePagesList As List(Of String) = System.Configuration.ConfigurationManager.AppSettings("SecurePages").Split(","c).ToList(Of String)()

            '(Of String)()
            Dim page As String = url.Segments(url.Segments.Length - 1).ToLower()
            If securePagesList.Contains(page) Then
                If Not Request.IsSecureConnection Then
                    Response.Redirect(url.ToString().Replace("http://", "https://"), True)

                End If
            ElseIf Request.IsSecureConnection Then
                Response.Redirect(url.ToString().Replace("https://", "http://"), True)
            End If
        End If

Open in new window

0
 
masterpassCommented:
Try the single line as ,
Dim securePagesList As List(Of String) = System.Configuration.ConfigurationManager.AppSettings("SecurePages").Split(","c).ToList()

Open in new window

0
 
Jon WinterburnAuthor Commented:
That gives me the ever useful "Object reference not set to an instance of an object."

I assume I've put the SecurePages in the right area of web.config?

<SecurePages>
            <add key="Personal.aspx" value="page" />
            <add key="/Mobile" value="directory" />
</SecurePages>

...just below <appSettings></appSettings>
0
 
masterpassCommented:
Small correction again
<appSettings>
<add key="SecurePages" value="page1.aspx,page2.aspx"/>
</appSettings>

Open in new window

0
 
Jon WinterburnAuthor Commented:
An excellent solution, thank you!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.