How to implement SSL in asp.net

Question

I am currently working on an asp.net mvc app. I am currently working on a log in feature, my aim is to somehow implement SSL so that I can send the password in plain text to the sever to be hashed there. In my controller Ive added the requireshttps attribute to the login action result:

[RequireHttps]//Enforcing SSL in a Web API Controller
    public ActionResult Login()
    {
        return View();
    }

Currently it does nothing and the page should just displays a form, but I will later add the functionality to get the data from the form to the controller (most likely via an ajax call).

However now I've added this attribute i cannot load the login webpage. I then found this tutorial and followed the instructions with IIS manager: http://www.iis.net/learn/manage/configuring-security/how-to-set-up-ssl-on-iis

Now I get this screen when I try to access the page:

enter image description here

I know that I am most likely making an obvious mistake as this is my first encounter with SSL and IIS, Any ideas?

Heres a screenshot of my IIS manager: enter image description here

Check your IIS site binding and make sure it has a port 443 (https) binding. — tweray, Apr 25 '14 at 19:03
@WeTTTT added a screenshot of my IIS management I assume that is correct? — brian4342, Apr 25 '14 at 19:19
You've added an SSL Cert to your IIS server and Visual Studio is deploying content there or are you running it in Visual Studio? — Erik Philips, Apr 25 '14 at 19:24
IIS doesn't route this request to web api. Rather, it thinks it is a static file (see the message on the image). Make sure web config contains mvc mappings for extensionless uris. — Wiktor Zychla, Apr 25 '14 at 19:25
@ErikPhilips I am debuggin in visual studio but testing on different browsers — brian4342, Apr 25 '14 at 19:27
@WiktorZychla could you explain this in some more details or provide an example? — brian4342, Apr 25 '14 at 19:28
http://www.philipholly.com/post/30520737115/visual-studio-2012-asp-net-mvc-4-web-api-web-config — Wiktor Zychla, Apr 25 '14 at 19:33
@WiktorZychla That links recommends adding runAllManagedModulesForAllRequests="true" to the web.config (which made no difference) and to ensure your using win 7 sp1, I'm running win 8 — brian4342, Apr 25 '14 at 19:45

score 0 · Answer 1 · edited May 23 '17 at 12:28

The Solution that is currently working is one from this question: ASP.NET MVC: How to automatically disable [RequireHttps] on localhost?

So I added the same code:

    public class RequireSSLAttribute : FilterAttribute, IAuthorizationFilter
{
    public virtual void OnAuthorization(AuthorizationContext filterContext)
    {
        if (filterContext == null)
        {
            throw new ArgumentNullException("filterContext");
        }

        if (!filterContext.HttpContext.Request.IsSecureConnection)
        {
            HandleNonHttpsRequest(filterContext);
        }
    }

    protected virtual void HandleNonHttpsRequest(AuthorizationContext filterContext)
    {
        if (filterContext.HttpContext.Request.Url.Host.Contains("localhost")) return;

        if (!String.Equals(filterContext.HttpContext.Request.HttpMethod, "GET", StringComparison.OrdinalIgnoreCase))
        {
            throw new InvalidOperationException("The requested resource can only be accessed via SSL");
        }

        string url = "https://" + filterContext.HttpContext.Request.Url.Host + filterContext.HttpContext.Request.RawUrl;
        filterContext.Result = new RedirectResult(url);
    }
}

And now it will work fine when I am testing on localhost. Though what happens if this site is hosted? Would SSL work?

If this is the localhost domain that caused the issue then most probably the actual non-localhost domain name would cause no issues. — Wiktor Zychla, Apr 25 '14 at 20:00

How to implement SSL in asp.net

1 Answers1