0

I'm using MVC5 in some IIS servers on Amazon EC2, behind a Amazon Elastic Load Balancer. IIS servers runs only HTTP protocol, and ELB converts to HTTPS.

IIS server doesn't know if user is accessing thru HTTPS, so I have a rewrite rule checking "X-Forwarded-Proto" header to redirect user to HTTPS.

Unfortunately, when a login is required, MVC/IIS redirects user to a logon page in HTTP.

If I check my website in a tool like http://www.redirect-checker.org/ I get these type of results:

http://example.com/

301 Moved Permanently (my URL rewrite rule)

https://example.com/

302 Found (Login-required redirect -> why to HTTP?)

http://example.com/Account/Logon?ReturnUrl=%2F

301 Moved Permanently (again my URL rewrite rule)

https://example.com/Account/Logon?ReturnUrl=%2F

200 OK

Am I missing something?

Can I configure login-redirect to keep protocol, eliminating one of these redirects?

Better yet, can I somehow precede login-redirect rule and make it force HTTPS, in order to have only one redirect?

Thanks a lot!

Appendix: I checked that commands like "RedirectToAction" send address like "/Index2", not the whole "http://example.com/Index2". This is fine, so it keeps the user protocol.

TNT
  • 819
  • 1
  • 8
  • 28

1 Answers1

0

Assuming you're using ASP.NET forms authentication, have a look in your web.config for your Authentication configuration and add requireSsl="true" to the <forms> element, as below:

<authentication mode="Forms">
      <forms loginUrl="~/Account/LogOn" timeout="2880" requireSSL="true" />
</authentication>
Tom Hall
  • 4,258
  • 2
  • 23
  • 23
  • Actually I'm using AspNet.Identity v2.2.1. This seems to be the way, but I couldn't find a requireSSL equivalent. – TNT Feb 20 '17 at 17:01
  • 1
    It might be worth having a look at this SO question: http://stackoverflow.com/questions/30615017/asp-net-identity-login-redirect-enforce-protocol-https – Tom Hall Feb 22 '17 at 01:10