Solved

HTTPS is no longer "Enforced"

Posted on 2011-02-13
10
392 Views
Last Modified: 2012-05-11
We have a web app since Adam and Eve. It is a ASP.NET app running on IIS 6 over a w2003 server. When a User logged in, somehow the app changed to HTTPS. Do not ask me how as that is now a matter of original development team vs. new.

However, I know for a fact this was the case. Now, it is not. New Head developer states nothing has changed and worst, than there is no code in the app to do this.

So, if anyone has any advice, it will be really appreciated.

Thanks in advanced.
0
Comment
Question by:phermi
  • 5
  • 4
10 Comments
 
LVL 12

Assisted Solution

by:Amick
Amick earned 50 total points
ID: 34882945
If it isn't in the program, I'd look in the server configuration.
Review this information: http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/56bdf977-14f8-4867-9c51-34c346d48b04.mspx?mfr=true
0
 

Author Comment

by:phermi
ID: 34883174
Amick,

Thanks but that is too obvious. I know how to do that and i fact the server accepts HTTPS request with no problems.

Is the change to HTTPS after the user logs in what does not work.

As a workaround, while I fight the developers, I thought I could re-direct all request to http://site.com to https://site.com by doing something on IIS. I have not found the way to accomplish that either.

Thanks
0
 

Author Comment

by:phermi
ID: 34883186
Forgot to add .. if you do that, REQUIERE SECURE CHANNEL, HTTP request will produce an error.
0
 
LVL 11

Accepted Solution

by:
b_levitt earned 450 total points
ID: 34887712
most likely there was a redirect in there somewhere.  There's a number of ways to do this:
* From the asp.net code itself

* By setting up two IIS Sites.  One for the ssl site.  A second for the http site that has a redirect rule to the https site (properties -> home directory -> "a redirection to a url")

* Similar to the above but the redirect occured on the firewall/load balancer instead.  If the developers say nothing has changed, and if whoever manages iis has said nothing has changed, then your network engineer might be the next person you go after.
0
 
LVL 11

Expert Comment

by:b_levitt
ID: 34887741
A little more info: The second one was the one I used.  I would set up a www.mysite.com site and a www.mysite.com (redirects).  In addtion to ssl redirects where necessary, I'd do redirects from mysite.com to www.mysite.com.

Also, if you are using a firewall/load balancer to do the redirect, it's possible that it is still working.  What might of changed is your internal routing, dns, or proxying.  Last week your traffic might have been routed so it followed the same route that external traffic did, which means that it would hit the same redirect.  You now might be going to the iis server directly, thus bypassing the firewall's redirect.
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 

Author Comment

by:phermi
ID: 34888113
d_levitt: Yes, and I tried that approach. The problem is that ALL pages are re-directd to HTPPS and we have one public page that uses CAPTCHA and it seems to be a proble displayng the CAPTCHA elements on HTTPS, which means that upon LOGOUT, we will reverse back to HTTP.

So, not to start a witches' hunt here, I am ordering the addition of code to fix this so that production and development environment work correctly .... The code looks like ths (for others in the future):

AT LOGIN (JS):

function forceSSLSubmit() {
   
    var strAction = document.forms[0].action.toString();

    if (strAction.toLowerCase().indexOf("http:") == 0) {
        strAction = "https" + strAction.substring(4);
 
        document.forms[0].action = strAction;
    }
}

AT LOGOUT (C#):

string url = Context.Request.Url.AbsoluteUri;
if (url.IndexOf("https") == 0)
{
url = url.Replace("https", "http");

}
HttpContext.Current.Response.Redirect(url, true);
0
 
LVL 11

Expert Comment

by:b_levitt
ID: 34888305
ah, well if the ssl redirect is conditional, it is unlikely (but not impossible) that it was anywhere other than in code.  I appologize, I missed the "when the user logged in".

As far as your code goes, I would either recommend redirecting on the server side (although you seemed to indicate this is not possible because of your captcha control), or simply changing your form action or link to an absolute url (including the https).  Your javascript code may fail or be bypassed, plus the form url could be a relative link and not have "http:" in it in the first place.

Also, be sure that your logout redirect is after any logic that needs to occur.  A redirect to a non-ssl page will start a new session, which would probably cause your log out logic to fail.

Last, you could also have a secure.domain.com to redirect to.  This would give you better control of "forcing" ssl on all pages.  Although even sites like amazon don't redirect if the user manually changes the https to http so I'm not sure how much you need to worry about protecting users from themselves.


0
 

Author Comment

by:phermi
ID: 34889070
b_levitt: Thanks again. A far as we understand, JS can only fail if JS is not enabled in the browser. This is a system requirement for us as we used AJAK intensively. We are in fact changing the form action with that code, or so do we believe.

Logout: no problems, we are doing exactly that.

The redirect via another site is what I implemented as a workaround, but some "experts" state that this will mess up the search engines ratings.

Who knows?

For now, I am moving ahead with the code shown above, unless you bring me a compelling reason not to.

Thanks again.
0
 
LVL 11

Expert Comment

by:b_levitt
ID: 34889427
Sounds good on all accounts other than the "search engine ratings" ...

I beleive you said the secure portion of this is protected by a captcha control so I'm not exactly sure how your "experts" think any spider is getting by that to index the site to begin with, let alone ranking it.  Even if it did, intrasite linking is NOT going to raise your ratings (links = votes and google isn't so stupid to let you vote for yourself).  Last, google is not going to see that javascript, so I would think that it would be better to have a link vs no link at all.

Sorry, don't mean to rant.  But SEO seems to be falling into the hands of marketing dolts that have captured a few technical buzzwords and then slap a name like "link juice" on a glass of cool-aid and sell it as something new.
0
 

Author Comment

by:phermi
ID: 34889489
No No .. I am confusing you.

Re-directing ALL traffic to HTTPS causes an issue in a PUBLIC page that uses CAPTCHA. That page is used to request DEMOs of the System and we do not want in any way to affect that part. Obviously, we can't afford non-SSL logins, so we put the redirect in place being the lesser of two evils.

Now, the "experts" advised us against using re-direct because it may have a negative impact on ratings. Whether that is true or not, I do not know ... but the problem is fixed now ...

Have a great one
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Today I came across an interesting issue that had me pulling my hair out.  I was troubleshooting a new internal web site which uses integrated security instead of anonymous.  When browsing the site from my laptop, I was able to access it with no iss…
Prologue It is often required to host multiple websites on a single instance of IIS, mostly in development environments instead of on production servers. I am sure it is not much a preferred solution on production servers but this is at least a pos…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now