堆栈内存溢出
  简体   繁体   English

ASP.net设计问题,如果在HTTPS上则强制重定向到HTTP

[英]ASP.net design problem, forcing redirect to HTTP if on HTTPS

 原文  2011-03-25 19:52:30       asp.net/ http/ ssl/ redirect/ https

问题描述

On my master page I have the functions: 在我的主页上,我具有以下功能: 

/// <summary>
/// Forces user to use unsecure HTTP connection
/// </summary>
public void FoceUnsecure()
{
    SSLHTTPDirect(false);
}

/// <summary>
/// Forces user to redirect to SSL
/// </summary>
public void ForceSSL()
{
    SSLHTTPDirect(true);
}

/// <summary>
/// Perform the redirect to self
/// </summary>
/// <param name="SSLRequired">True = Force HTTPS, False = Force HTTP</param>
private void SSLHTTPDirect(bool SSLRequired)
{
    if (int.Parse(ConfigurationManager.AppSettings["UseSSL"].ToString()) == 1)
    {
        bool IsOnSSL = HttpContext.Current.Request.Url.Scheme.ToLower() == "https";
        if (SSLRequired && !IsOnSSL)
            Response.Redirect(ConfigurationManager.AppSettings["SecureDomainRoot"] + "" + Request.RawUrl);
        else if (!SSLRequired && IsOnSSL)
            Response.Redirect(ConfigurationManager.AppSettings["MasterDomainRoot"] + "" + Request.RawUrl);
    }
}

On my SSL required pages, it works fine. 在需要SSL的页面上,它可以正常工作。 I just do Master.ForceSSL() and it redirects to the secure connection if they are on HTTP. 我只做Master.ForceSSL() ,如果它们在HTTP上,它将重定向到安全连接。

The problem is, I want to redirect all other pages to HTTP if they are on HTTPS without having to manually trawl through the pages adding the function call to ForceUnsecure() . 问题是,如果所有其他页面都位于HTTPS上,我想将它们重定向到HTTP,而不必手动浏览所有将函数调用添加到ForceUnsecure()

Whatever I try, I can't seem to work out from the Master page if the ForceSSL() function has been called (using flags and such). 无论我尝试什么,如果已调用ForceSSL()函数(使用标志等),我似乎都无法从母版页中解决。 Ideally I want something like 理想情况下,我想要类似

if(!SSLRequired && OnHTTPS){ForceUnsecure()}

But whatever I try the master page seems to perform all its checks BEFORE the content page makes a call to ForceSSL() . 但是,无论我尝试使用什么母版页,似乎在内容页调用ForceSSL()之前都会执行所有检查。 So I can never know the values the content page is setting. 因此,我永远无法知道内容页面所设置的值。

4 个解决方案

解决方案1
 1 已采纳  2011-03-25 20:32:02

In response to the comments, I'm turning this into an answer: 为了回应评论,我将其变成一个答案:

I know this isn't a direct answer to your question; 我知道这不是您问题的直接答案; however, I feel strongly enough about this to get on a soap box, so to speak. 但是,可以说,我对此感到非常强烈,可以坐上肥皂盒。

First off, if whatever you have is sensitive enough to require a username and password, then you shouldn't kneecap your users by sending their session cookie data unencrypted by forcibly turning off SSL after the initial login procedure. 首先,如果您所拥有的足够敏感,需要用户名和密码,那么您不应该通过在初始登录过程后通过强制关闭SSL来发送未加密的会话cookie数据来压制用户。

For most sites the amount of extra bandwidth and/or processing power necessary is trivial compared to loss of trust in the event that one or more accounts get hijacked. 对于大多数站点而言 ,与一个或多个帐户被劫持时失去信任相比,所需的额外带宽和/或处理能力微不足道。 Only you can decide if it's worth it to turn OFF ssl. 只有您可以决定关闭ssl是否值得。

If you believe that performance concerns may outweigh your business reputation, then use standard profiling tools against your application to see exactly what the impact is. 如果您认为性能问题可能胜过您的商业声誉,请对您的应用程序使用标准配置工具,以准确了解其影响。 These include one off tools like YSlow on up to "real" off the shelf tools like those included in the upper end versions of visual studio. 这些工具包括一个像YSlow这样的现成工具,以及像Visual Studio高端版本中包含的那些“真正”现成的工具。

Worthwhile links: 值得链接:
(discussing performance impact of SSL) (讨论SSL的性能影响)
How much overhead does SSL impose? SSL施加了多少开销?
HTTP vs HTTPS performance HTTP vs HTTPS性能

(discussing why turning off SSL after login is a bad idea) (讨论为什么登录后关闭SSL是个坏主意)
http://codebutler.com/firesheep http://codebutler.com/firesheep
http://codebutler.com/firesheep-a-week-later-idiot-shepherds http://codebutler.com/firesheep-a-week-later-idiot-shepherds
http://codebutler.com/firesheep-three-weeks-later-fallout http://codebutler.com/firesheep-three-weeks-later-fallout

(stack overflows take on its security - or lack thereof) https://meta.stackexchange.com/questions/69171/why-doesnt-the-stack-overflow-team-fix-the-firesheep-style-cookie-theft (堆栈溢出对其安全性-或缺乏安全性) https://meta.stackexchange.com/questions/69171/why-doesnt-the-stack-overflow-team-fix-the-firesheep-style-cookie-theft

All of this said, there are special circumstances that should be taken into account. 综上所述,应考虑特殊情况。 Namely, what is the potential downfall in the event an attacker intercepts and impersonates a user on your site? 也就是说,如果攻击者在您的站点上拦截并冒充用户,那么潜在的下降趋势是什么? If there is zero or close to zero negative aspects then turning off ssl might be okay. 如果是零或接近于零消极方面则关闭SSL 可能是正确的。 Even then I'd only think about going this route if the cost of not doing it was more than I could bear. 即使那样,如果不这样做的代价超出了我的承受能力,我只会考虑走这条路。

解决方案2
 0  2011-03-25 19:59:00

Instead of doing it in your code, there is a module created by Matt Sollars that allows you to use the web.config to specify what pages need SSL and what ones do not. Matt Sollars创建了一个模块,而不是在您的代码中执行此操作,该模块使您可以使用web.config来指定哪些页面需要SSL,哪些页面不需要SSL。 The library, article, and code is available at http://www.codeproject.com/KB/web-security/WebPageSecurity_v2.aspx . 该库,文章和代码可从http://www.codeproject.com/KB/web-security/WebPageSecurity_v2.aspx获得

解决方案3
 0  2011-03-25 19:59:17

You might want to take a look at the HttpModule class. 您可能想看一下HttpModule类。 These let you intercept requests and someone has done something along the lines of what you are trying to do. 这些可让您拦截请求,并且某人已按照您尝试做的事情做了一些事情。

解决方案4
 0  2011-07-27 10:39:11

Another aspect that has not been addressed so far is the effect on SEO. 到目前为止尚未解决的另一方面是对SEO的影响。 If you have two versions of a page that is linked to in both http and https format, then this can cause duplicate content issues in Google. 如果您有两个以http和https格式链接的页面版本,则这可能会导致Google中出现重复的内容问题。 In this instance, you should use 301 redirects to the appropriate protocol version of the page. 在这种情况下,您应该使用301重定向到页面的相应协议版本。 So if your login page is https://mysite/login then you should do a 301 redirect if you are on http://mysite/login to the https version. 因此,如果您的登录页面是https:// mysite / login,那么如果您使用http:// mysite / login到https版本,则应该执行301重定向。 Similarly, if you are linking back to the home page of your site from a secure url, you should use the non secure version of the home page url as this is what is most likely to be indexed in search engines. 同样,如果要从安全URL链接回站点的主页,则应使用主页URL的非安全版本,因为这是最有可能在搜索引擎中建立索引的版本。 If this is not possible, then you can use canonical tags in the page to tell search engines that the preferred format of the page is http or https - which will have less efficacy than a 301 redirect, but better than nothing. 如果无法做到这一点,则可以在页面中使用规范标记来告诉搜索引擎该页面的首选格式是http或https-其效果比301重定向的效果小,但总比没有好。

See this link for more info: http://www.mattcutts.com/blog/seo-advice-url-canonicalization/ 有关更多信息,请参见此链接: http : //www.mattcutts.com/blog/seo-advice-url-canonicalization/

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 ASP.NET Core 将 http 重定向到 https - ASP.NET Core redirect http to https 在ASP.NET中从Https重定向到Https - Https to Http redirect in asp.net 使用www前缀的ASP.NET HTTP到HTTPS重定向 - ASP.NET HTTP to HTTPS redirect with www prefix 如何在ASP.NET页面生命周期中从HTTP重定向到HTTPS? - How to redirect from HTTP to HTTPS in the ASP.NET page lifecycle? IIS URL HTTP 到 HTTPS 重定向不适用于 ASP.Net 应用程序 - IIS URL HTTP to HTTPS redirect not working on ASP.Net application HTTP 重定向到 IIS 上的 HTTPS (ASP.Net Core 3.1) - HTTP redirect to HTTPS on IIS (ASP.Net Core 3.1) ASP.NET中的重定向问题 - Redirect problem in ASP.NET ASP.net重定向问题 - ASP.net redirect problem ASP.NET Core服务不会重定向http:localhost: <https-port> 到https模式 - ASP.NET Core service won't redirect http:localhost:<https-port> to https schema ASP.NET HTTPS重定向和HSTS标头 - ASP.NET HTTPS redirect & HSTS headers
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM