7

Once you place [RequireHttps] on an action and user switches from HTTP to HTTPS, all subsequent links will stay HTTPS...

Is there a way to switch back to HTTP ?

Improve this question
1
  • This can be done with filters. Try searching SO, there are many questions almost exactly the same as yours. Commented Feb 21, 2012 at 2:04

3 Answers 3

Reset to default
6

Technically, you could do it

You could look at the source of RequireHttpsAttribute and reverse it.

In practice, you probably shouldn't

If the session is still alive, it is generally inadvisable to return to HTTP. This can be the foundation for a variety of attacks, for example, session hijacking.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thanks for all the links - I generally agree with you, but I have a "contact us" page for which I'd like to enforce SSL - the rest of the site is informational.
@zam6ak No problem. You'll be OK if the rest of the site is only informational, but what do you hope to gain by returning to HTTP?
I read somewhere that switching schemes "hurts" SEO. Unfortunately, I don't have link the article anymore, and I am not 100% sure if that is true...
2

there is a pretty detailed description of how to handle switching from HTTPS back to HTTP for specific action methods at this link

http://blog.clicktricity.com/2010/03/switching-to-https-and-back-to-http-in-asp-net-mvc/

Improve this answer

Comments

1

Here's the 'ExitHttpsIfNotRequired' attribute I use:

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
public class RetainHttpsAttribute : Attribute
{
}

public class ExitHttpsIfNotRequiredAttribute : FilterAttribute, IAuthorizationFilter
{
    public void OnAuthorization(AuthorizationContext filterContext)
    {
        // Abort if it's not a secure connection  
        if (!filterContext.HttpContext.Request.IsSecureConnection) return;

        if (filterContext.ActionDescriptor.ControllerDescriptor.ControllerName == "sdsd") return;

        // Abort if it's a child controller
        if (filterContext.IsChildAction) return;

        // Abort if a [RequireHttps] attribute is applied to controller or action  
        if (filterContext.ActionDescriptor.ControllerDescriptor.GetCustomAttributes(typeof(RequireHttpsAttribute), true).Length > 0) return;
        if (filterContext.ActionDescriptor.GetCustomAttributes(typeof(RequireHttpsAttribute), true).Length > 0) return;

        // Abort if a [RetainHttps] attribute is applied to controller or action  
        if (filterContext.ActionDescriptor.ControllerDescriptor.GetCustomAttributes(typeof(RetainHttpsAttribute), true).Length > 0) return;
        if (filterContext.ActionDescriptor.GetCustomAttributes(typeof(RetainHttpsAttribute), true).Length > 0) return;

        // Abort if it's not a GET request - we don't want to be redirecting on a form post  
        if (!String.Equals(filterContext.HttpContext.Request.HttpMethod, "GET", StringComparison.OrdinalIgnoreCase)) return;

        // Abort if the error controller is being called - we may wish to display the error within a https page
        if (filterContext.ActionDescriptor.ControllerDescriptor.ControllerName == "Error") return;

        // No problems - redirect to HTTP
        string url = "http://" + filterContext.HttpContext.Request.Url.Host + filterContext.HttpContext.Request.RawUrl;
        filterContext.Result = new RedirectResult(url);
    }
}
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.