3

I want my users access a specific asp.net virtual directory only via SSL. Is there an option in web.config that allows me to specify this?

abatishchev
  • 98,240
  • 88
  • 296
  • 433
HCL
  • 36,053
  • 27
  • 163
  • 213

2 Answers2

3

You can do that in IIS7. Go to SSL settings for your application, you will see check box with option saying "Require SSL", check the check box and your job is done. Now your website can be accessed from https only and not from http. Remember you need to have SSL certificate otherwise browsers will show some warning messages for your website. And ya..I don't think you can achieve this with web.config.

Edit: sample code

Full customization is possible using Global.asax file. You can add specific conditions and apply https or http. Below sample code shows that if page is Login/checkout and if connection is not secure redirect from http to https and also I may not need https for contact page.

 protected void Application_BeginRequest(Object sender, EventArgs e)
    {           
            if ((Request.Path.EndsWith("login.aspx") || Request.Path.EndsWith("checkout.aspx") ) && !Request.IsSecureConnection)
            {
                Response.Redirect(Request.Url.AbsoluteUri.Replace("http:", "https:"));
            }
            else if (Request.IsSecureConnection && !Request.Path.EndsWith("contact.aspx"))              
            {
                Response.Redirect(Request.Url.AbsoluteUri.Replace("https:", "http:"));
            }
        }
pramodtech
  • 6,300
  • 18
  • 72
  • 111
  • Thanks for your answer, I'm aware that I can do this with IIS bindings, but I do not have access to them. – HCL May 02 '11 at 13:46
  • I will suggest use IIS but since you don't have access you can do that in web.config . More details http://forums.asp.net/t/1409637.aspx/1 – pramodtech May 02 '11 at 13:54
  • +1 Thanks, I tried this, but this seems not to disable the login-page itselfs, the user can log on (unsecured) and after this operation, an error that ssl is required will be show. Is it possible to also disable http for the login-page, so that the user does not send its credentials unencrypted? – HCL May 02 '11 at 14:17
-1

I fixed it by making a simple change.

set requireSSL="true"

see the below line I added in my web.config

 
<httpCookies httpOnlyCookies="true" requireSSL="true" sameSite="Lax" />
Mohammad Haider
  • 5
  • 3