What I do want to talk about is actually forcing the user over to HTTPS once your site is SSL-ready. The code I had used for many years on classic ASP sites was not working reliably; it would redirect, but to the home page instead of the page you tried to access.
ASP.NET has beefed up the Request object with some additional information we didn't have back in the old days (Request.IsSecureConnection and Request.Url). We also have a new way of including our function libraries, the App_Code folder.
NameSpace myApplication
Public Class myLibrary
Public Shared Sub ForceSSL()
If Not System.Web.HttpContext.Current.Request.IsSecureConnection Then
System.Web.HttpContext.Current.Response.Redirect(System.Web.HttpContext.Current.Request.Url.AbsoluteUri.Replace("http://", "https://"))
End If
End Sub
End Class
End NameSpace
Then from each page on the site I import my custom library and run the subroutine:
Imports myApplication.myLibrary
Sub Page_Load(sender as Object, e as EventArgs)
ForceSSL()
'Rest of code goes here...
End Sub
Supposedly there's a way to do this without code by modifying some settings in IIS, but I didn't have any success with that. The particular situation I'm dealing with has some fairly severe cohesion/coupling issues with certain pages being accessed from different subdomains.
Download the VB.NET source code for ForceSSL from Snipplr.com