.net redirecting from HTTP to HTTPS - Computer Technical Help

Two Plus Two Forums Other Topics Computer and Technical Help

.net redirecting from HTTP to HTTPS

Post Reply Subscribe

...

03-30-2011 , 04:23 AM

Gullanian

Carpal \'Tunnel

Join Date: Dec 2006 Posts: 14,014

Just a quick question wondering if anyone knows the answer, all my logged in content forces an SSL connection to prevent cookie hijacking.

What I'm curious to know, is if the logged in user visits an HTTP page, and I have code which checks the protocol in the Page_Init() function and Response.redirects to the HTTPS URL if they are on HTTP, between the original request, the page init, and the redirect is the cookie ever exposed?

Quote

03-30-2011 , 11:24 AM

wellju

BSOD and racetrack Ninja

Join Date: Feb 2010 Posts: 5,247

Not sure without code, it depends.

If the user goes from the https channel to http, you lose the session and a http header/request is sent even for the redirect.

Worst case scenario is http://www.eggheadcafe.com/default.aspx -they know it

Quote

03-30-2011 , 11:50 AM

Neil S

King of the sidebar

Join Date: Sep 2004 Posts: 19,635

In theory cookies are sent with every request to the domain. Which is why if you're doing it wrong, https redirecting alone doesn't help.

But apparently a new extension to that is that if you add the 'secure' attribute to a cookie, then browsers will only send it over https connections.

So there you go. Do that to your login cookies and you should be good.

Quote

Post Reply Subscribe

...