Force SSL in VB.NET

Today I'm wrapping up a project to convert an existing web site to use SSL communication only. This required adding HTTPS detection in various places to prevent mixed-content errors. I'm not entirely happy with my solution for that yet, so I'm not going to go into that right now.

What I do want to talk about is actually forcing the user over to HTTPS once your site is SSL-ready. The code I had used for many years on classic ASP sites was not working reliably; it would redirect, but to the home page instead of the page you tried to access.

ASP.NET has beefed up the Request object with some additional information we didn't have back in the old days (Request.IsSecureConnection and Request.Url). We also have a new way of including our function libraries, the App_Code folder.

1. NameSpace myApplication
2.     Public Class myLibrary
3.         Public Shared Sub ForceSSL()
4.             If Not System.Web.HttpContext.Current.Request.IsSecureConnection Then
5.                 System.Web.HttpContext.Current.Response.Redirect(System.Web.HttpContext.Current.Request.Url.AbsoluteUri.Replace("http://", "https://"))
6.             End If
7.         End Sub
8.     End Class
9. End NameSpace

Then from each page on the site I import my custom library and run the subroutine:

1. Imports myApplication.myLibrary
3. Sub Page_Load(sender as Object, e as EventArgs)
4.     ForceSSL()
5.     'Rest of code goes here...
6. End Sub

Supposedly there's a way to do this without code by modifying some settings in IIS, but I didn't have any success with that. The particular situation I'm dealing with has some fairly severe cohesion/coupling issues with certain pages being accessed from different subdomains.

Download the VB.NET source code for ForceSSL from Snipplr.com

Force SSL

If your web site requires visitors to enter private information, like their credit card number, or even just a username and password, you're hopefully using SSL to secure the transmission. But providing SSL is not enough, because visitors can still access your site without SSL. When a visitor navigates to a page where they are entering private information, we want to enforce that their data is protected by SSL.

Our PHP programmer friends can do this via an htaccess file:

1. RewriteEngine On
2. RewriteCond %{HTTPS} off
3. RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

But for those of us stuck using ASP, we don't have this luxury. We can achieve the same result with some code.

1. sub forceSSL()
2.     dim secureURL
4.     if UCase(Request.ServerVariables("HTTPS")) = "OFF" then
5.         secureURL = "https://" & Request.ServerVariables("SERVER_NAME") & Request.ServerVariables("HTTP_URL")
7.         if Request.ServerVariables("QUERY_STRING") <> "" then
8.             secureURL = secureURL & "?" & Request.ServerVariables("QUERY_STRING")
9.         end if
11.         Response.Redirect secureURL
12.     end if
13. end sub

There are some things here worth noting. In both the htaccess example and the ASP example, we are checking if HTTPS is off. Some people will instead check if traffic is coming from port 80, the standard HTTP port, or not coming from 443, the standard HTTPS port. Checking port numbers is not the best solution because the server administrator can set up HTTP and HTTPS to run on different ports. It's also worth noting that the above ASP example preserves QueryString variables, if any are being passed. Most other examples I've seen on the Internet ignore the QueryString variables, which leads to navigation problems.

With this subroutine in your arsenal, just call it at the top of any page you want to secure.