SSL Redirect – Http Module
Vineet Batta here again…
Some time back one of our applications was released into production and since the application data was HBI we were required to protect data both in a rest and a transit. For transit we enabled SSL, that is the link to get to the application will require https://[websiteName] instead of http. Soon the support team started receiving emails regarding the inability of users to get to the web site. The reason behind this was that many folks were trying to access the website http://[WebsiteName] but this link was not working any more. It was a bad user experience for the first time users. To get around this usability scenario we wrote SSL Redirect – HTTP Module. This will route all the HTTP request to SSL enabled link that is HTTPS without the user experiencing any broken links or error pages. To the user it will be seamless user experience.
To use this module all you have to do is configure it in web.config.
Example of how the configuration should look like in the web.config
<modules>
<add name="Microsoft.InformationSecurity.Security.SslRedirection" type="Microsoft.InformationSecurity.Security.Wpl.SslRedirection.Redirect" />
</modules>
This module also supports a page exclusion feature through simple configurations like below. The module can be turned On or Off by setting module='On|Off' attribute value.
<WebExclusions module='On|Off' >
<files>
<add path="Contacts/Contacts.aspx"> </add>
<add path="default.aspx"> </add>
</files>
</WebExclusions>
So from the above example, the following pages Contacts.aspx and Default.aspx will be assessable through HTTP requests and all other pages will be accessible through only HTTPS request. If the request for those pages is using HTTP it will be redirected to HTTPs.
This will be released soon as part of Web protection Library v1.0 (WPL).
Good Luck programming and hope this helps.
-Vineet Batta
Comments
- Anonymous
August 04, 2009
>This will route all the HTTP request to SSL enabled link that is HTTPS without the user experiencing any broken links or error pages. I am guessing you will need to disable SSL only at the IIS level for this to work. Is that correct? Raj