Reputation: 57373
RequireHttps Fails On Redirects with Parameters
Besides simply redirecting from HTTP to HTTPS, the RequireHttps attribute also changes my URL's question mark ? to %3F. Unsurprisingly, that breaks things.
Why? How do I fix it?
scenario:
I try to navigate to
http://www.example.com/message/composeBut let's say I don't have permission to view that page.
<HandleError()> _ Public Class MessageController Inherits System.Web.Mvc.Controller Function Compose() As ActionResult ... If ... Then Throw New Exception(Net.HttpStatusCode.Unauthorized.ToString) End If ... Return View() End Function ... End ClassThe action throws an exception.
The exception is handled by my Error.aspx page
<%@ Page Language="VB" Inherits="System.Web.Mvc.ViewPage(Of System.Web.Mvc.HandleErrorInfo)" %> <script runat="server"> Sub Page_Load(ByVal Sender As System.Object, ByVal e As System.EventArgs) If Model.Exception.Message = Net.HttpStatusCode.Unauthorized.ToString Then response.redirect("/signin?ReturnUrl=" + Url.Encode(request.Path)) End If ... End Sub </script> ...I'm redirected to my Sign In page at
http://www.example.com/signin?ReturnUrl=%2fmessage%2fcomposeBut I'm using HTTP and not HTTPS. My action requires HTTPS. (That RemoteRequireHttps inherits from RequireHttps and overrides its OnAuthorization method to simply disregard localhost.)
<HandleError()> _ Public Class AccountController Inherits System.Web.Mvc.Controller <RemoteRequireHttps()> _ Function SignIn() As ActionResult ... End Function ... End ClassI'm redirected to
https://www.example.com/signin%3FReturnUrl=%2fmessage%2fcomposeI see this error in my browser:
Bad Request
It seems that RequireHttps changes my question mark ? to %3F.
Upvotes: 0
Views: 1101
Answers (3)
Reputation: 146228
My answer to my own question here might help (appears to be a bug in MVC 2 Preview 2)
Can I ask why you're not using [Authorize] or a custom authorization attribute. If you're using .NET authentication you should use [Authorize].
Note: even if you do use [Authorize] it doesnt actually fix the problem you're experiencing.
Upvotes: 1
Reputation: 57373
I've just reengineered this to avoid the question mark (and also exception throws) altogether.
scenario:
I try to navigate to http://www.example.com/message/compose
But let's say I don't have permission to view that page.
Public Class MessageController
Inherits System.Web.Mvc.Controller
Function Compose() As ActionResult
...
If ... Then
Return RedirectToAction("SignIn", "Account", New With {.ReturnUrl = Request.Path})
End If
...
Return View()
End Function
...
End Class
I'm redirected to my Sign In page. My route looks like this:
routes.MapRoute( _
"SignIn", _
"signin/{*ReturnUrl}", _
New With {.controller = "Account", _
.action = "SignIn", _
.ReturnUrl = ""} _
)
So that's at address http://www.example.com/signin/message/compose
But I'm using HTTP and not HTTPS. My action requires HTTPS.
Public Class AccountController
Inherits System.Web.Mvc.Controller
<RemoteRequireHttps()> _
Function SignIn(ByVal ReturnUrl As String) As ActionResult
...
End Function
...
End Class
I'm redirected to https://www.example.com/signin/message/compose
No question mark. No problem.
Upvotes: 0
Reputation: 3270
We're considering using a URL rewriter like ISAPI Rewrite to handle things like this before they ever get to your code. Of course, this would only work if you have access to the server.
Also, if you're using IIS 7, I believe it comes with URL rewriting functionality built in.
Upvotes: 1
Related Questions
- RequireHttpsAttribute with ASP.NET Core MVC - ERR_TOO_MANY_REDIRECTS
- ERR_TOO_MANY_REDIRECTS when forcing HTTPS on MVC5 app
- MVC RequireHttps entire site
- MVC RequireHttps and redirect if not https
- Error in MVC redirect: Server cannot append header after HTTP headers have been sent
- ASP MVC 3 RequireHttps attribute change all links to https
- RequireHttps and routing to https URL
- ASP.net design problem, forcing redirect to HTTP if on HTTPS
- ASP.NET MVC - RequireHttps - Specify a redirect URL
- ASP.Net MVC RedirectToSsl Issue