Using HttpModules to perform a SSL switch on web pages

  • Article

A common requirement of any secure website is to make sure that when a user traverses to a "sensitive" part of the website such the login page, the password reset page or even the personal profile page which might contain contact detail you would want the user to be forced onto a HTTPS secured page.

On the other hand, you might also want the user to be forced off the Secure protocol for general view pages so that the network bottleneck is eliminated at the server end due to unwanted overuse of HTTPS. One of the best ways to achieve this is using HttpModules in ASP.NET which provides a very powerful mechanism to intercept HTTP requests and redirect them as necessary.

To effectively develop HttpModule you need to

1. Hook up the module during the OnInit event

2. Trap the request during the PreRequestHandler event.

Digging into the code, it would be something like this:

 public class SslSwitchModule : IHttpModule    {        //store your secure pages in a hastable for fast retrieval.        //this can be populated when the application starts up so that repeated         // overhead is avoided.        private static Hashtable securePages = null;                        public void ProcessRequest(HttpContext context)        {            Uri requestUri = context.Request.Url;            //if the request is for HTTP, check if HTTPS is needed            if (!context.Request.IsSecureConnection)            {                string urlRequested = HttpUtility.UrlDecode(context.Request.Path.ToUpper().Replace(context.Request.ApplicationPath.ToUpper(),""));                if (SecurePages.ContainsValue(urlRequested))                {                    //switch to HTTPS                    string secureUrl = "https" + context.Request.Url.AbsoluteUri.Substring(4);                    context.Response.Redirect(secureUrl, true);                }            }            else            {                //if the url requested is inside the https,                // determine if its needed to be in that page                string urlRequested = HttpUtility.UrlDecode(context.Request.Path.ToUpper().Replace(context.Request.ApplicationPath.ToUpper(), ""));                if (!SecurePages.ContainsValue(urlRequested))                {                    //switch to HTTPS                    string unSecureUrl = "http" + context.Request.Url.AbsoluteUri.Substring(5);                    context.Response.Redirect(unSecureUrl, true);                }            }           }                      #region IHttpModule Members        public void Dispose()        {            ;        }        public void Init(HttpApplication context)        {                // wireup the event for processing             context.PreRequestHandlerExecute += new EventHandler(context_PreRequestHandlerExecute);                    }        void context_PreRequestHandlerExecute(object sender, EventArgs e)        {            HttpApplication httpApp = (HttpApplication)sender;            //process the request            this.ProcessRequest(httpApp.Context);        }               #endregion    }