It's certainly easy to setup a site to require SSL. Just use IIS Manager and check the Require secure channel (SSL) checkbox on the Authentication and access control dialog on the Directory Security tab.

The problem with this, is what happens when someone hits your site using HTTP instead of HTTPS. They get a nasty error message that starts with:

The page must be viewed over a secure channel

The page you are trying to access is secured with Secure Sockets Layer (SSL). 

While some users may be able to figure out that they forgot to use HTTPS, many will be confused.  The ideal situation is for IIS to just modify the protocol to HTTPS for the user. Too bad it does not.

Previously, I have solved this problem with a lame workaround of having users go to a dummy site that doesn't require HTTPS and then redirecting them to the real site. But like I said, this is lame. Recently, I needed to set this up for a new site and fortunately, I came across a blog post by Paul Wilson that comes up with what I consider an elegant solution.

The basic idea is this:

1. Require SSL for the site using the aforementioned dialog.

2. Create a subfolder (e.g, NonSSL) of the site that doesn't require SSL (again using the aforemenetioned dialog) and add a web.config file to the folder (or use the location element in the root web.config) that allows all users (if your site uses form authentication). You want add <allow users="?,*"/> to capture both non-authenicated users and authenticated users.

3. Add a page to the folder (e.g., /NonSSL/SSLRedirect.aspx) that simply uses Response.Redirect to redirect to the default page of the site using HTTPS.

4. Now go back to the root folder and select the Custom Errors tab of IIS Manager for the site. Choose to edit the 403:4 error type, which happens to be the error generated when viewing a resource requiring SSL over a non-secure channel. In fact, the previously excerpted error page says as much later on:

HTTP Error 403.4 - Forbidden: SSL is required to view this resource.
Internet Information Services (IIS)

Select Message type = URL and enter the URL that points to the page in step #3 (e.g., /NonSSL/SSLRedirect.aspx). If this is a virtual directory, you will need to add the virtual root name as in /vroot/NonSSL/SSLRedirect.aspx.

That's pretty much it. In his post, Paul Wilson mentions some scenarios that may require additional work. See his post for more details.

What's especially nice about this solution is it's done on the server, so you can still have your app work fine on your dev machine or your staging server since this solution does not affect the site when used on another machine that doesn't require SSL.

Paul

Share this post: email it! | bookmark it! | digg it! | reddit! | kick it! | live it!