Dinesh Kumar
asked on
redirect http page to https in every browser
Hi,
I am using following code to redirect my aspx http page to https page.
The following code works fine in chrome, opera, firefox but fails in internet explorer.
My code:
thanks,
dinesh.
I am using following code to redirect my aspx http page to https page.
The following code works fine in chrome, opera, firefox but fails in internet explorer.
My code:
<script type="text/javascript">
window.location = window.location.href.replace(/^http:/, 'https:');
</script>
------------------
in web.config
<rewrite>
<rules>
<clear />
<rule name="Redirect to https" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" appendQueryString="false" />
</rule>
</rules>
</rewrite>
------------------------
<httpCookies httpOnlyCookies="true" requireSSL="true" />
---------------------------
<add key="HttpsServer" value="prod"/>
in global.asax
protected void Application_BeginRequest(object sender, EventArgs e)
{
if (ConfigurationManager.AppSettings["HttpsServer"].ToString() == "prod")
//if (ConfigurationManager.AppSettings["HttpsServer"].ToString() == "stage")
{
if (!HttpContext.Current.Request.IsSecureConnection)
{
if (!Request.Url.GetLeftPart(UriPartial.Authority).Contains("www"))
{
HttpContext.Current.Response.Redirect(
Request.Url.GetLeftPart(UriPartial.Authority).Replace("http://", "https://www."), true);
}
else
{
HttpContext.Current.Response.Redirect(
Request.Url.GetLeftPart(UriPartial.Authority).Replace("http://", "https://"), true);
}
}
}
}
--------------------------thanks,
dinesh.
The better way is to use IIS URL Rewrite. This redirects the page at the server level.
Consider the Javascript to be replaced with
For the checking of IsSecureConnection checks, probably to go simple first to see if it works for browsers
<script language="JavaScript">
<!-- begin hide
function ReDirectHttps()
{
var oldURL = window.location.hostname + window.location.pathname;
var newURL = "https://" + oldURL;
window.location = newURL;
}
ReDirectHttps();
// end hide -->
</script>
IIS URL Rewrite Module is available for IIS 7 and higher only. in web.config, needed
<rules>
<rule name="HTTP/S to HTTPS Redirect" enabled="true" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAny">
<add input="{SERVER_PORT_SECURE}" pattern="^1$" />
<add input="{SERVER_PORT_SECURE}" pattern="^0$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/OWA/" redirectType="Permanent" />
</rule>
</rules>
(Method 1) http://blogs.msdn.com/b/kaushal/archive/2013/05/23/http-to-https-redirects-on-iis-7-x-and-higher.aspxFor the checking of IsSecureConnection checks, probably to go simple first to see if it works for browsers
if (!Request.IsLocal && !Request.IsSecureConnection)
{
string redirectUrl = Request.Url.ToString().Replace("http:", "https:");
Response.Redirect(redirectUrl, false);
HttpContext.ApplicationInstance.CompleteRequest();
}
There is mention for the recommended pattern to terminate the request according to the framework documentation
When you use this method in a page handler to terminate a request for one page and start a new request for another page, set endResponse to false and then call the CompleteRequest method.https://msdn.microsoft.com/en-us/library/a8wa7sdt(v=vs.110).aspx?cs-save-lang=1&cs-lang=csharp#code-snippet-2
ASKER
Please find the attachment and I also tried following
Not sure, why in IE9 set as default ( windows 7) the url does not change to https even I set all SSL and TSL in internet options to true.
After-Redirection-Not-Show-in-IE.PNG
if (!Request.IsSecureConnection)
{
string redirectUrl = Request.Url.ToString().Replace("http:", "https:");
Response.Redirect(redirectUrl);
//HttpContext.Current.ApplicationInstance.CompleteRequest();
}
Not sure, why in IE9 set as default ( windows 7) the url does not change to https even I set all SSL and TSL in internet options to true.
After-Redirection-Not-Show-in-IE.PNG
Maybe also check this "Do not save encrypted pages to disk" under Tools >Options >Advanced, is unchecked. By default, it should be unchecked already but checked for server build.
Ref - http://blogs.msdn.com/b/ieinternals/archive/2010/04/21/internet-explorer-may-bypass-cache-for-cross-domain-https-content.aspx
In similar context, some shared the IE required an established http connection to be fully close if there is any redirected to https connection done. This is due to IE being "smart" to reuse existing http channel for https and out of context - ignorant of the new redirect. This can lead to potential error. So response header require explicit connection closure which i supposed it is under the IsSecureConnection()
e.g. System.Web.HttpContext.Cur rent.Respo nse.AddHea der("Conne ction", "close");
See this (in fact it is not recommended for redirect unless you do a perm 301)
This also req browser to support HSTS. But the idea is under e.g. case "http"
However, the option is occasionally set by Group Policy as an attack-surface-reduction measure, although the side-effects of doing so can be pretty dire. The problem is that this option makes SSL-delivered downloads uncacheable by default, and that can lead to the dreaded “Internet Explorer cannot download” dialog.re-try by closing browser and restart it again.
Ref - http://blogs.msdn.com/b/ieinternals/archive/2010/04/21/internet-explorer-may-bypass-cache-for-cross-domain-https-content.aspx
In similar context, some shared the IE required an established http connection to be fully close if there is any redirected to https connection done. This is due to IE being "smart" to reuse existing http channel for https and out of context - ignorant of the new redirect. This can lead to potential error. So response header require explicit connection closure which i supposed it is under the IsSecureConnection()
e.g. System.Web.HttpContext.Cur
See this (in fact it is not recommended for redirect unless you do a perm 301)
protected void Application_BeginRequest(Ohttp://www.troyhunt.com/2011/11/owasp-top-10-for-net-developers-part-9.htmlbject sender, EventArgs e)
{
switch (Request.Url.Scheme)
{
case "https":
Response.AddHeader("Strict-Transport -Security" , "max-age=300");
break;
case "http":
var path = "https://" + Request.Url.Host + Request.Url.PathAndQuery;
Response.Status = "301 Moved Permanently";
Response.AddHeader("Location", path);
break;
}
}
This also req browser to support HSTS. But the idea is under e.g. case "http"
ASKER
The above code also did not work.. and surprisingly other sites like google.com, vpn.companyname.com are getting redirected to https
Is this possible, if I run this code on Server after check-in it may work good..without any issue..
Is this possible, if I run this code on Server after check-in it may work good..without any issue..
in fact the code is supposedly for the webserver per se.
", not all browser are supported though
The HSTS header and forceful redirection to the HTTPS scheme can both easily be implemented in the Application_BeginRequest event of the global.asax...You may want to sniff the http header and packet via fiddler tools or browser developer tool the flagged error for failure to redirect in your localhost testing. Best to test on staging prior to production on the redirect. As for the code specific to "Strict-Transport-Security
...Going back to the original example where packets sent over HTTP were sniffed, if the login had been over HTTPS and HSTS was used, it would have been impossible for the browser to issue requests over HTTP for the next 500 seconds even if explicitly asked to do so. Of course this structure then disallows any content to be served over HTTP but in many cases, this is precisely the scenario you’re looking to achieve.
... or you could try using URL Rewrite.
ASKER
Its a known issue in IE9, it seems to be so we need to do attached settings so that site opens up.
IE9.PNG
IE9.PNG
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you..
Normally, we would do this in a non code way using our barracuda network.
Since you want to go the code route, then try this:
Open in new window
Add that piece of code to your page_load() event in your default page.