Thursday, February 08, 2007
Forcing SSL and Redirecting non-HTTPS requests to Home Page
I setup an ASP.NET 2.0 application on a website recently that required users to login and be recognised by the different roles they were assigened to. I was subsequently asked to have it run exclusively under SSL in order to encrypt the login information. So, I got Saverio to publish me an SSL certificate which he then set up for the application in IIS. He then checked the box in IIS in order to force SSL for that website. All was going well until we realised that we should manage non-HTTPS somewhat elegantly.
My first thought was to write some code in the application's Master Page that checked to see if the request was HTTP or HTTPS then redirect to HTTPS, but that would require a change in the code. This wasn't a problem for my current application, but I thought it would be nicer to be able to write these in a modular fashion so that it could be easily added in to another application.
I did a quick search on the web and came across this article  posted on Paul Wilson's blog on the asp.net website. It discusses using a Custom Error page in IIS for the 403.4 HTTP error code: the code that identifies the request as being forbidden as a result of SSL being required. The posting describes how to setup your custom error to be an ASP.NET page that performs a redirect to another page. I thought that it would be acceptible to redirect all non-HTTPS requests to the home page of our application, as the only url the users would be likely to type would be that of the home page, so I created an HTML page with a simple META refresh rather than an ASP.NET page.
A short while afterwards we got a call from a user saying that the home page of the site was giving them an error. We had a look into it and noticed that our redirect was working in Firefox but didn't work in IE. Remembering about IE's "Show friendly HTTP error messages" it seems that when the browser requests a page over HTTP that requires HTTPS, the server returns a 403.4 error along with the URL of a page where you can find the error page. When "Show friendly HTTP error messages" is select in IE it doesn't request the error page from the server but rather uses its own one. Seeing as "Show friendly HTTP error messages" is selected by default in IE, we had a problem.
We did some more searching and happened upon this article  from Scott Guthrie's blog. He explains that i) if you are using IE, ii) your requested HTTP request returns a status that is not 200, iii) the associated error page is < 512 bytes, and iv) "Show friendly HTTP error messages" is checked, then IE displays its own error page that corresponds to that error code. He follows on to say that all you need to do is make sure your Custom Error page is > 512 bytes and Bob's your uncle. He adds in an HTML comment to his page to bulk it up, so that's what we did too.
Thanks again, Scott!