asp.net c# redirecting from http to https

Question

So in my code I want to detect if my login page is being called http, and redirect it to https.

I know there are non code ways to skin this cat, but for frustrating technical reasosn I'm backed into doing it in code.

            if (!Request.IsSecureConnection)
            {
                string redirectUrl = Request.Url.ToString().Replace("http:", "https:");
                Response.Redirect(redirectUrl);
            }

So I drop this in my Page_Load(...), make sure my debugger uses real IIS, not VS2008s IIS, and hit debug.

Inthe debugger, waltz along, hit Response.Redirect("https://localhost/StudentPortal3G/AccessControl/AdLogin.aspx"), hit f5.

Get "Internet Explorere Cannot Display the webpage, url is HTTP, not HTTPS. Not getting an informative error... same thing happens not running in the debugger.

So what am I missing? it does not appear to be rocket science, I've seen similar code on lots of blogs...

What am I doing wrong? I figure it has to be a totally obvious Rookie mistake, but I'm not seeing it.

Answer 1

I'd do a !Request.IsLocal as well to make sure that I'm not debugging, though if you're using a real instance of IIS with a cert applied when debugging that shouldn't be an issue.

if (!Request.IsLocal && !Request.IsSecureConnection)
{
    string redirectUrl = Request.Url.ToString().Replace("http:", "https:");
    Response.Redirect(redirectUrl, false);
    HttpContext.ApplicationInstance.CompleteRequest();
}

Note: This answer assumes an MVC context within a Controller where HttpContext is a property holding the current context. If you're unlucky enough to still be using WebForms or are referencing the context in a degenerate way you will need to use HttpContext.Current.ApplicationInstance.CompleteRequest().

Note: I've updated this to be consistent with the recommended pattern to terminate the request according to the framework documentation.

When you use this method in a page handler to terminate a request for one page and start a new request for another page, set endResponse to false and then call the CompleteRequest method. If you specify true for the endResponse parameter, this method calls the End method for the original request, which throws a ThreadAbortException exception when it completes. This exception has a detrimental effect on Web application performance, which is why passing false for the endResponse parameter is recommended. For more information, see the End method.