It is pretty easy to configure SSL on your IIS website with a valid certificate. We have SSL installed and configured on one of our web servers, and we prefer our employees to access these websites over a secure protocol (HTTPS). However, we do not have the luxury of globally enforcing SSL on all sites hosted by the web server, because in some cases it causes an accessibility issue with some of our employees who are working from a remote location with firewall limitations. So we want to be able to allow them to access a web site using the regular HTTP protocol as an exception, not a rule.

So even if you provide a link to a person that specifies HTTPS, you cannot be guaranteed that the person will always access the web site using that protocol. Since SSL is not enforced at the web server level, then you have to enforce it logically, which a piece of code that performs a check. The following is a quick and dirty approach to “Logical SSL Enforcement”:

public void EnforceSSL() {

// Determine SSL Exception – SSL_OFF = “1”
string sslException = “0”;
if (Request.QueryString[“SSL_OFF”] != null) {
sslException = Request.QueryString[“SSL_OFF”].ToString();
}

if (sslException == “1”) {
return;
}

// Do Not Enforce SSL if you’re in a Dev Environment
string currentURL = Request.ServerVariable[“HTTP_REFERER”].ToString().ToLower();
string devURL = “localhost”;
if (currentURL.IndexOf(devURL) != -1) {
return;
}

// Redirect to HTTPS Protocol
if (url.ToLower().IndexOf(“http:”) != -1) {
string newURL = currentURL.Replace(“http:”, “https:”);
Response.Redirect(newURL, true);
}

}

Advertisements