ASP.Net (C#) How to POST to HTTPS from an HTTP page

Question

C# 3.0 ASP.Net 2.0 IIS6

I have a regular [non-https] page. There is the standard one ASP.Net form on the page.

There are two "areas" of functionality on the page though. Login and "Get Quote". The login page needs to POST to HTTPS while the rest of the page [including the "other area"] form can't be HTTPS. In Java [JSP] and regular Html, we would just have two forms. One that posts to HTTPS and one that doesn't.

What is the way to handle this in ASP.Net [from one page]. I know that I could link to an HTTPS login.aspx page, but the business really would like the context together.

Any ideas?

Thanks,

Answer 1

The solution is to use asp.net to specify a "cross page postback", that is, you user the PostBackUrl property of any button control (LinkButton, Button, ImageButton etc.). This property allows you to post back to any page you like. Just set your PostBackUrl to the https version of your page and you're good to go (also make sure there are no url redirects active which force http on your page).

// ensure we send credentials over a secure connection
if (!HttpContext.Current.Request.IsSecureConnection)
{
     string postbackUrl = HttpContext.Current.Request.Url.AbsoluteUri.Replace("http", "https");
     LinkButton_Login.PostBackUrl = postbackUrl;
}

In your specific case you should set one of your buttons to post back to the https version, and the other to the http version (if you don't specify the PostBackUrl the default is to post back to the page itself as is).

Answer 2

You could do a manual post through code using the HttpWebRequest object for the login event and then write the returned response back to the user's stream.

HttpWebRequest request = (HttpWebRequest)WebRequest.Create(webRequest.URL);
request.UserAgent = UserAgent;
request.ContentType = ContentType;
request.Method = "POST";

// Write your bytes of the login section here
 Stream oStream = request.GetRequestStream();
 oStream.Write(webRequest.BytesToWrite, 0, webRequest.BytesToWrite.Length);
 oStream.Close();

 // Send the request and get a response
 HttpWebResponse resp = (HttpWebResponse)request.GetResponse();

 // Read the response
 StreamReader sr = new StreamReader(resp.GetResponseStream());

 // return the response to the screen
 string returnedValue = sr.ReadToEnd();

  sr.Close();
  resp.Close();

  Response.Write(returnedValue);

Answer 3

In ASP.Net 3.5 (maybe SP1--forget if it was in the base library or the SP) you can now set the "action" attribute. But that would make it post to HTTPS for both 'forms'.

If you want to have both forms on the same page, and determine which to post to at 'runtime', you'll have to do it with client-side code. Have client handlers on all objects that trigger post backs or hook into the _dopostback (or whatever it's called--to lazy to look it up) function, and have it check which button was pressed. If the non-secure page, then clear out any data in the login fields first. Then manually trigger the postback yourself to the correct page.

Answer 4

Are the HTTP and HTTPS pages on the same server / part of the same application?

If so you maybe able to use the Server.Transfer() method to keep the form intact but also have the HTTPS.

Answer 5

Couldn't you just do a Response.Redirect("https://.../Login.aspx"); in the Login button click event.

Answer 6

You can have two forms on an aspx page. You just can't nest them.

On a page I built, I have one form that posts back to the page, and one that posts back to Google Checkout.

If you have to mix the contents of the page, put the https form at the bottom of the page (after the main form tag) and fill it with hidden fields. When the user clicks a button, use Javascript to assign values to the hidden fields and then post the https form.

Answer 7

I'm assuming from your context, that you are doing one thing or the other, not both at the same time.

Look at the PostbackURL of the button objects.
the login button can postback to "https://secure.login.com"

The other button can just postback to the page itself.

The problem here is that you'll still be posting back the login fields to the insecure page, which means they're not encrypted, and could be sniffed.

The quick and dirty workaround would be to have javascript clear the login fields before posting if the "Get Quote" button is pressed.