如何在asp.net mvc中从https跳出到http模式

发布于 2024-08-07 05:51:52 字数 142 浏览 4 评论 0原文

我通过在控制器操作上添加属性 [RequireSSL] 使我的登录页面启用了 Https，并且工作正常。但登录成功后仍处于https环境，但页面为非https页面。谁能给我解决如何从 https 模式退出到 http 模式的问题吗？在这方面的任何帮助将不胜感激。

原文

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

断桥再见 2024-08-14 05:51:52

您基本上需要做相反的事情，即具有 [DoesNotRequireSSL] 属性，该属性实际上与 {RequireSSL] 属性相反，即重定向到 http 协议

public class DoesNotRequireSSL: ActionFilterAttribute 
    {
        public override void OnActionExecuting(ActionExecutingContext filterContext) 
        {
            var request = filterContext.HttpContext.Request;
            var response = filterContext.HttpContext.Response;

            if (request.IsSecureConnection && !request.IsLocal) 
            {
            string redirectUrl = request.Url.ToString().Replace("https:", "http:");
            response.Redirect(redirectUrl);
            }
            base.OnActionExecuting(filterContext);
        }
    }

另外，如果您想确保多个页面具有此行为，您可以设置一个基本控制器，所有非 http 控制器都可以从中继承，因此您不必担心必须为每个需要它的页面重复自己。

You basically need to do the opposite, which is have a [DoesNotRequireSSL] attribute, which effectively does the opposite of the {RequireSSL] attribute, i.e., redirect to http protocol

public class DoesNotRequireSSL: ActionFilterAttribute 
    {
        public override void OnActionExecuting(ActionExecutingContext filterContext) 
        {
            var request = filterContext.HttpContext.Request;
            var response = filterContext.HttpContext.Response;

            if (request.IsSecureConnection && !request.IsLocal) 
            {
            string redirectUrl = request.Url.ToString().Replace("https:", "http:");
            response.Redirect(redirectUrl);
            }
            base.OnActionExecuting(filterContext);
        }
    }

Also, if you would like to ensure that multiple pages have this behaviour, you can set up a base controller, from which all your non-http controllers can inherit from so you dont have to worry about having to repeat yourself for every page which needs this.

回复收藏 0 原文

沉鱼一梦 2024-08-14 05:51:52

警告：我也有类似的问题。我学到的一件重要的事情是，在切换回 HTTP 后，您的 auth cookie 将通过纯文本发送。请参阅此。

警告 2：不要忘记考虑可怕的您将被重定向到不安全的连接消息

如果您正在编写银行应用程序，则需要非常小心 - 并且还意识到公共 WiFi 连接上的用户数量不断增加，这些用户很可能[esily]通过一些偷偷摸摸的代理进行传输。对于主流网站来说，这可能是一个更大的问题，但也是我们所有人都应该意识到的问题。

另请参阅我的其他问题（当时没有答案写作 - 但后来我只是问了它！）

回复收藏 0 原文

追风人 2024-08-14 05:51:52

我知道这是一个相当老的问题，但是上面提供的许多链接都已失效，此代码通过对系统中包含的 RequireHttpsAttribute 进行一些轻微修改来解决 ASP.NET MVC 5 的问题.Web.Mvc 命名空间：

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
public class ForbidHttpsAttribute : FilterAttribute, IAuthorizationFilter
{
    public virtual void OnAuthorization(AuthorizationContext filterContext)
    {
        if (filterContext == null)
        {
            throw new ArgumentNullException("filterContext");
        }

        if (filterContext.HttpContext.Request.IsSecureConnection)
        {
            HandleHttpsRequest(filterContext);
        }
    }

    protected virtual void HandleHttpsRequest(AuthorizationContext filterContext)
    {
        // only redirect for GET requests, otherwise the browser might not propagate the verb and request
        // body correctly.

        if (!String.Equals(filterContext.HttpContext.Request.HttpMethod, "GET", StringComparison.OrdinalIgnoreCase))
        {
            throw new InvalidOperationException("The requested resource can only be accessed *without* SSL.");
        }

        // redirect to HTTP version of page
        var url = "http://" + filterContext.HttpContext.Request.Url.Host + filterContext.HttpContext.Request.RawUrl;
        filterContext.Result = new RedirectResult(url);
    }
}

代码来自这篇文章，该文章还简要讨论了强制用户从 HTTPS 重定向到 HTTP 的一些安全问题。

I know this is quite an old question, but many of the links presented above are dead and this code addresses it for ASP.NET MVC 5 by making some slight modifications to the RequireHttpsAttribute that is included in the System.Web.Mvc namespace:

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
public class ForbidHttpsAttribute : FilterAttribute, IAuthorizationFilter
{
    public virtual void OnAuthorization(AuthorizationContext filterContext)
    {
        if (filterContext == null)
        {
            throw new ArgumentNullException("filterContext");
        }

        if (filterContext.HttpContext.Request.IsSecureConnection)
        {
            HandleHttpsRequest(filterContext);
        }
    }

    protected virtual void HandleHttpsRequest(AuthorizationContext filterContext)
    {
        // only redirect for GET requests, otherwise the browser might not propagate the verb and request
        // body correctly.

        if (!String.Equals(filterContext.HttpContext.Request.HttpMethod, "GET", StringComparison.OrdinalIgnoreCase))
        {
            throw new InvalidOperationException("The requested resource can only be accessed *without* SSL.");
        }

        // redirect to HTTP version of page
        var url = "http://" + filterContext.HttpContext.Request.Url.Host + filterContext.HttpContext.Request.RawUrl;
        filterContext.Result = new RedirectResult(url);
    }
}

The code comes from this article, which briefly discusses some of the security concerns of forcing users to redirect from HTTPS to HTTP as well.

回复收藏 0 原文

~没有更多了~