Using HttpModules to perform a SSL switch on web pages

A common requirement of any secure website is to make sure that when a user traverses to a "sensitive" part of the website such the login page, the password reset page or even the personal profile page which might contain contact detail you would want the user to be forced onto a HTTPS secured page.

On the other hand, you might also want the user to be forced off the Secure protocol for general view pages so that the network bottleneck is eliminated at the server end due to unwanted overuse of HTTPS. One of the best ways to achieve this is using HttpModules in ASP.NET which provides a very powerful mechanism to intercept HTTP requests and redirect them as necessary.

To effectively develop HttpModule you need to

1. Hook up the module during the OnInit event

2. Trap the request during the PreRequestHandler event.

Digging into the code, it would be something like this:

 public class SslSwitchModule : IHttpModule    {        //store your secure pages in a hastable for fast retrieval.        //this can be populated when the application starts up so that repeated         // overhead is avoided.        private static Hashtable securePages = null;                        public void ProcessRequest(HttpContext context)        {            Uri requestUri = context.Request.Url;            //if the request is for HTTP, check if HTTPS is needed            if (!context.Request.IsSecureConnection)            {                string urlRequested = HttpUtility.UrlDecode(context.Request.Path.ToUpper().Replace(context.Request.ApplicationPath.ToUpper(),""));                if (SecurePages.ContainsValue(urlRequested))                {                    //switch to HTTPS                    string secureUrl = "https" + context.Request.Url.AbsoluteUri.Substring(4);                    context.Response.Redirect(secureUrl, true);                }            }            else            {                //if the url requested is inside the https,                // determine if its needed to be in that page                string urlRequested = HttpUtility.UrlDecode(context.Request.Path.ToUpper().Replace(context.Request.ApplicationPath.ToUpper(), ""));                if (!SecurePages.ContainsValue(urlRequested))                {                    //switch to HTTPS                    string unSecureUrl = "http" + context.Request.Url.AbsoluteUri.Substring(5);                    context.Response.Redirect(unSecureUrl, true);                }            }           }                      #region IHttpModule Members        public void Dispose()        {            ;        }        public void Init(HttpApplication context)        {                // wireup the event for processing             context.PreRequestHandlerExecute += new EventHandler(context_PreRequestHandlerExecute);                    }        void context_PreRequestHandlerExecute(object sender, EventArgs e)        {            HttpApplication httpApp = (HttpApplication)sender;            //process the request            this.ProcessRequest(httpApp.Context);        }               #endregion    }

Comments

  • Anonymous
    September 04, 2008
    PingBack from http://www.easycoded.com/using-httpmodules-to-perform-a-ssl-switch-on-web-pages/

  • Anonymous
    September 05, 2008
    What would be the impact on the postback requests? will there be any data loss?

  • Anonymous
    September 05, 2008
    Thanks for the insight into this, handy code snippit!

  • Anonymous
    September 08, 2008
    For the query "What would be the impact on the postback requests? will there be any data loss?", the answer is it depends! If you are doing a postback with the appropriate protocol included (for e.g. to a HTTPS page which requires it) then there would not be any data loss, but if you are doing a postback to a page which requires SECURE but the target of the postback URL has been mentioned as http, then there would be a loss.