ASP.NET MVC [RequireHttps] - return to http - asp.net-mvc

Once you place [RequireHttps] on an action and user switches from HTTP to HTTPS, all subsequent links will stay HTTPS...
Is there a way to switch back to HTTP ?

Technically, you could do it
You could look at the source of RequireHttpsAttribute and reverse it.
In practice, you probably shouldn't
If the session is still alive, it is generally inadvisable to return to HTTP. This can be the foundation for a variety of attacks, for example, session hijacking.

there is a pretty detailed description of how to handle switching from HTTPS back to HTTP for specific action methods at this link
http://blog.clicktricity.com/2010/03/switching-to-https-and-back-to-http-in-asp-net-mvc/

Here's the 'ExitHttpsIfNotRequired' attribute I use:
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
public class RetainHttpsAttribute : Attribute
{
}
public class ExitHttpsIfNotRequiredAttribute : FilterAttribute, IAuthorizationFilter
{
public void OnAuthorization(AuthorizationContext filterContext)
{
// Abort if it's not a secure connection
if (!filterContext.HttpContext.Request.IsSecureConnection) return;
if (filterContext.ActionDescriptor.ControllerDescriptor.ControllerName == "sdsd") return;
// Abort if it's a child controller
if (filterContext.IsChildAction) return;
// Abort if a [RequireHttps] attribute is applied to controller or action
if (filterContext.ActionDescriptor.ControllerDescriptor.GetCustomAttributes(typeof(RequireHttpsAttribute), true).Length > 0) return;
if (filterContext.ActionDescriptor.GetCustomAttributes(typeof(RequireHttpsAttribute), true).Length > 0) return;
// Abort if a [RetainHttps] attribute is applied to controller or action
if (filterContext.ActionDescriptor.ControllerDescriptor.GetCustomAttributes(typeof(RetainHttpsAttribute), true).Length > 0) return;
if (filterContext.ActionDescriptor.GetCustomAttributes(typeof(RetainHttpsAttribute), true).Length > 0) return;
// Abort if it's not a GET request - we don't want to be redirecting on a form post
if (!String.Equals(filterContext.HttpContext.Request.HttpMethod, "GET", StringComparison.OrdinalIgnoreCase)) return;
// Abort if the error controller is being called - we may wish to display the error within a https page
if (filterContext.ActionDescriptor.ControllerDescriptor.ControllerName == "Error") return;
// No problems - redirect to HTTP
string url = "http://" + filterContext.HttpContext.Request.Url.Host + filterContext.HttpContext.Request.RawUrl;
filterContext.Result = new RedirectResult(url);
}
}

Related

How can I make an action filter cause a filtered action to return HttpNotFoundResult?

I have a custom action filter for very explicit content length limiting. It does its work like this:
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
if (filterContext.HttpContext.Request.ContentLength >= MaxLength)
{
throw new HttpException("MaxLengthFilter: Request has Content-Length > " + MaxLength);
}
base.OnActionExecuting(filterContext);
}
I would prefer if any action invoked for a content length exceeding the maximum returned a more meaningful result, such as HTTP 404.13. If I were filtering directly inside the action, I could use ' return new HttpNotFoundResult()', but the filter's OnActionExecuting method is type void.
This is further complicated in that some actions that need filtering are ActionResult while some are JsonResult, and the latter needs serialization of the HttpNotFoundResult.
it isn't necessary to throw exception. You could redirect to custom error action.
Here is a question like this.
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
if (filterContext.HttpContext.Request.ContentLength >= MaxLength)
{
filterContext.Result = RedirectToAction("Error401_13", "Error"); //for example
return;
}
base.OnActionExecuting(filterContext);
}

Once a user visits a [RequireHTTPS] action, they stay on https

I'm securing some of my ActionResults with [RequireHttps] and that's working great.
People are keeping their https connection after they go to other links. I only want https on certain pages that I specify, I want http on everything else.
You could try creating a base controller and override the OnActionExecuting method to do something like:
protected override void OnActionExecuting(ActionExecutingContext ctx) {
{
bool redirect = true;
if (!ctx.HttpContext.Request.IsSecureConnection) redirect = false;
// Bypass if [RequireHttps] is applied
if (ctx.ActionDescriptor.ControllerDescriptor.GetCustomAttributes
(typeof(RequireHttpsAttribute), true).Length > 0) redirect = false;
if (ctx.ActionDescriptor.GetCustomAttributes
(typeof(RequireHttpsAttribute), true).Length > 0) redirect = false;
if (!redirect)
{
base.OnActionExecuting(ctx);
}
else
{
// Redirect to HTTP
string url = "http://" + ctx.HttpContext.Request.Url.Host
+ ctx.HttpContext.Request.RawUrl;
ctx.Result = new RedirectResult(url);
}
}

potentially dangerous request redirect to error page

I use request validation on asp.net mvc 2 on .NET 4, and whenever I post htmlcode to my controller action. that is good.
But I see now my yellow screen of death.
Instead of that I want to redirect the user to my custom error page for this.
What do I need to change in my web.config to redirect to
~/Home/InvalidInput
for example.
You want to add that info to the customErrors element in the web.config. This element is defined under the system.web tag.
<customErrors mode="RemoteOnly" defaultRedirect="/Home/InvalidInput " />
Also, you will need to define a route to handle this redirect since that is nothing more than a URL. Just specify an route and an action in your HomeController that will return the InvalidInput view when this route is hit.
Setup a custom base controller that HomeController (and whatever others you have) inherits from. Then you can setup exception handling in the base controller:
protected override void OnException(ExceptionContext filterContext)
{
if (filterContext.HttpContext.Request.IsAjaxRequest())
{
base.OnException(filterContext);
return;
}
filterContext.ExceptionHandled = true;
if (filterContext.Exception is HttpException)
{
var statusCode = ((HttpException) filterContext.Exception).GetHttpCode();
Response.StatusCode = statusCode;
if (statusCode == (int) HttpStatusCode.NotFound)
{
filterContext.Result = View(ErrorController.Actions.NotFound);
}
else
{
filterContext.Result = View(ErrorController.Actions.InternalServerError);
}
}
else
{
Response.StatusCode = (int) HttpStatusCode.InternalServerError;
filterContext.Result = View(ErrorController.Actions.InternalServerError);
}
base.OnException(filterContext);
}
Of course you will need your own ErrorController and error views as well.
The benefit in this is that a) you have greater control over how exceptions are handled, b) you can set the appropriate HTTP status code, and c) you can unit test your error handler.
The defaultRedirect property of customErrors will work as well as a more basic approach, however you cannot unit test the behavior, and users are then exposed to your error routes rather than staying on the current URI.

Custom Authorize attribute HttpContext.Request.RawUrl unexpected results

We're building an application that is a Silverlight client application, but we've created an MVC controller and a few simple views to handle authentication and hosting of the Silverlight control for this application. As part of the security implementation, I've created a custom Authorization filter attribute to handle this, but am getting some unexpected results trying to properly handle redirection after authentication.
For example, our Silverlight application's navigation framework allows users to deep-link to individual pages within the application itself, such as http://myapplicaton.com/#/Product/171. What I want, is to be able to force a user to login to view this page, but then successfully redirect them back to it after successful authentication. My problem is with getting the full, requested URL to redirect the user to from within my custom authorization filter attribute class.
This is what my attribute code looks like:
public class RequiresAuthenticationAttribute : FilterAttribute, IAuthorizationFilter
{
protected bool AuthorizeCore(HttpContextBase httpContext)
{
var cookie = Cookie.Get(SilverlightApplication.Name);
if (SilverlightApplication.RequiresLogin)
{
return
((cookie == null) ||
(cookie["Username"] != httpContext.User.Identity.Name) ||
(cookie["ApplicationName"] != SilverlightApplication.Name) ||
(Convert.ToDateTime(cookie["Timeout"]) >= DateTime.Now));
}
else
return false;
}
public void OnAuthorization(AuthorizationContext filterContext)
{
if (filterContext != null && AuthorizeCore(filterContext.HttpContext))
{
var redirectPath = "~/login{0}";
var returnUrl = filterContext.HttpContext.Request.RawUrl;
if (string.IsNullOrEmpty(returnUrl) || returnUrl == "/")
redirectPath = string.Format(redirectPath, string.Empty);
else
redirectPath = string.Format(redirectPath, string.Format("?returnUrl={0}", returnUrl));
filterContext.Result = new RedirectResult(redirectPath);
}
}
}
So in this case, if I browse directly to http://myapplicaton.com/#/Product/171, in the OnAuthorize method, where I'm grabbing the filterContext.HttpContext.Request.RawUrl property, I would expect it's value to be "/#/Product/171", but it's not. It's always just "/". Does that property not include page level links? Am I missing something?
The # sign in URLs (also called the fragment part of an URL) is only used by browsers to navigate between history and links. Everything following this sign is never sent to the server and there's no way to get it in a server side script.

More control on ASP.Net MVC's Authorize; to keep AJAX requests AJAXy

I have some action methods behind an Authorize like:
[AcceptVerbs(HttpVerbs.Post), Authorize]
public ActionResult Create(int siteId, Comment comment) {
The problem I have is that I'm sending a request through AJAX to Comment/Create with
X-Requested-With=XMLHttpRequest
which helps identify the request as AJAX. When the user is not logged in and hits the Authorize wall it gets redirected to
/Account/LogOn?ReturnUrl=Comment%2fCreate
which breaks the AJAX workflow. I need to be redirected to
/Account/LogOn?X-Requested-With=XMLHttpRequest
Any ideas how that can be achieved? Any ways to gain more control over what happens when Authorization is requested?
Thanks to Lewis comments I was able to reach this solution (which is far from perfect, posted with my own comments, if you have the fixes feel free to edit and remove this phrase), but it works:
public class AjaxAuthorizeAttribute : AuthorizeAttribute {
override public void OnAuthorization(AuthorizationContext filterContext) {
base.OnAuthorization(filterContext);
// Only do something if we are about to give a HttpUnauthorizedResult and we are in AJAX mode.
if (filterContext.Result is HttpUnauthorizedResult && filterContext.HttpContext.Request.IsAjaxRequest()) {
// TODO: fix the URL building:
// 1- Use some class to build URLs just in case LoginUrl actually has some query already.
// 2- When leaving Result as a HttpUnauthorizedResult, ASP.Net actually does some nice automatic stuff, like adding a ReturnURL, when hardcodding the URL here, that is lost.
String url = System.Web.Security.FormsAuthentication.LoginUrl + "?X-Requested-With=XMLHttpRequest";
filterContext.Result = new RedirectResult(url);
}
}
}
Recently I ran into exactly the same problem and used the code posted by J. Pablo Fernández
with a modification to account for return URLs. Here it is:
public class AuthorizeAttribute : System.Web.Mvc.AuthorizeAttribute
{
override public void OnAuthorization(AuthorizationContext filterContext)
{
base.OnAuthorization(filterContext);
// Only do something if we are about to give a HttpUnauthorizedResult and we are in AJAX mode.
if (filterContext.Result is HttpUnauthorizedResult && filterContext.HttpContext.Request.IsAjaxRequest())
{
// TODO: fix the URL building:
// 1- Use some class to build URLs just in case LoginUrl actually has some query already.
HttpRequestBase request = filterContext.HttpContext.Request;
string returnUrl = request.Path;
bool queryStringPresent = request.QueryString.Count > 0;
if (queryStringPresent || request.Form.Count > 0)
returnUrl += '?' + request.QueryString.ToString();
if (queryStringPresent)
returnUrl += '&';
returnUrl += request.Form;
String url = System.Web.Security.FormsAuthentication.LoginUrl +
"?X-Requested-With=XMLHttpRequest&ReturnUrl=" +
HttpUtility.UrlEncode(returnUrl);
filterContext.Result = new RedirectResult(url);
}
}
}
Instead of using the authorize attribute, I've been doing something like the following.
public ActionResult SomeCall(string someData)
{
if (Request.IsAjaxRequest() == false)
{
// TODO: do the intended thing.
}
else
{
// This should only work with AJAX requests, so redirect
// the user to an appropriate location.
return RedirectToAction("Action", "Controller", new { id = ?? });
}
}
I think the right way to handle this would be in your Javascript making the AJAX call.
If the user needs to be authorized (or authenticated as your code implies) and isn't, you should inform them and maybe not allow them to try and comment in the first place.
However, if that doesn't suit your needs.
You could try and write your own authorize action filter, maybe inheriting from the one that comes with the MVC framework but redirects how you want it to. It's fairly straightforward.

Resources