Announcement

Collapse
No announcement yet.

http -> https redirection question

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • http -> https redirection question

    When a user logs in the following document is set as the first document to run if one is not specified. Normally I name it

    defaults.asp

    This method is only used if the site has an SSL certificate installed. It redirects the user to the https:// version of the

    website.

    If someone types in http://mywebsite.com or http://mywebsite.com/webvirdir they will be directed to

    https://mywebsite.com/webvirdir/default.htm

    However if someone types http://mywebsite.com/webvirdir/default.htm I can't figure out a way to do the redirection because

    it's not calling the default document defaults.asp.

    I don't know the actual right way to always redirect to the https:// version of the site if the user types in any combination

    using http:// something.
    Code:
    <html>
    <head>
    <title></title>
    <%
      Dim bSSLOn 
      Dim sURL
    
      bSSLOn = (Request.ServerVariables("HTTPS") = "off")
      if bSSLOn then
    
    
        sURL = "https://mywebsite.com/webvirdir/default.htm"
        Response.Redirect (sURL )
    
      end if
    %>
    
    
    </head>
    <body>
    </body>
    </html>
    Bob Mechler

  • #2
    So far the experts-exchange guys just say to make the whole site secure by editing the Certificate to requre secure channel. This however throws up an error page upon any use of http to access the site. I guess one could create a custom error page for the rather harsh default error page.

    The web site's owners want a site where the user doesn't have to use https but have it auto-switch as I've done for most instances of how they might type the URL.

    Bob Mechler

    Comment


    • #3
      Automatically changing things (IE forward request from HTTP->HTTPS) is not a good idea, there is a reason for https and its usually to keep something secure. When things are done magically and behind the scenes the users become accepting and lethargic so that one day it is redirected to a different location and suddenly account information is lost...

      This happens on a daily basis...

      The experts are correct, do as they recommend and the site will be secure. Deviate and you take your chances
      Sr. Software Development Engineer and Sr. Information Security Analyst,
      CEH, Digital Forensic Examiner

      Comment


      • #4
        If they were using apache I would say just use an htaccess rewrite.

        And I'm sure that whatever system you're using can handle some version of that.

        The assumption here is that they have already logged in, correct?

        JS
        John,
        --------------------------------
        John Strasser
        Phone: 480 - 273 - 8798

        Comment


        • #5
          Can just html be used?
          <META http-equiv=
          "refresh" content="0;URL=http://www.powerbasic.com">

          Comment


          • #6
            Code:
            <html>
            <head>
            
            <script type="text/javascript">
            
            // test to see if on secure page
            function testForCert(){
            	 var temp=location.href;	
            	 if (temp.indexOf('https://')==0 ){
            	 		// already secure - do nothing
            	 }else{
            	 		// not secure - load secure site
            	 		window.location = 'https://www.mydomain.com';	 		
            	 }		
            }
            </script>
            
            </head>
            
            <body onLoad="testForCert();">
            
            mydomain.com
            
            </body>
            </html>

            Comment


            • #7
              Originally posted by Mike Doty View Post
              Can just html be used?
              <META http-equiv=
              "refresh" content="0;URL=http://www.powerbasic.com">
              While that kind of redirection does "work" it usually breaks the "back" button. So it fell out of favor.

              Server based redirection (as compared to client side) also is faster.

              JS
              John,
              --------------------------------
              John Strasser
              Phone: 480 - 273 - 8798

              Comment


              • #8
                here is a sniplet of php code that i worked on when doing some web testing a few years ago and i just found it.
                i will need it again really soon too and hoping it works for me.
                this is only practiced on and not in any production
                the server is apache version 2
                the code is php code
                the code goes at the very top of the web page
                if this helps and i am not to late please let me know also what you are doing.



                php code that runs in php version 4 to convert a web page from http to https
                Code:
                <?php
                if($HTTP_SERVER_VARS["HTTPS"] != "on")
                {
                   $newurl = "https://" . $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"];
                   header("location: $newurl");
                }
                ?>
                p purvis

                Comment


                • #9
                  I for one am no expert on the subject of writing webpages but i am going to have to do some and am studying up on the subject as we speak.

                  I have perceived the same problem of wanting somebody to be in https mode for some of my web pages. It would seem logical to have a variable, or maybe two variables if needed, to flag a web visitor of whether they have entered the server web pages from a wanted or desired path by the web page creator.

                  maybe a standard template file used to included on web pages is needed.

                  and Yes

                  I am fishing for any thoughts useful to my cause as well, haha.
                  Last edited by Paul Purvis; 1 Jul 2009, 07:24 PM.
                  p purvis

                  Comment


                  • #10
                    What about a server responding with "301 - moved permanent"?

                    Comment


                    • #11
                      Knuth:

                      You definately want the 301 error code:
                      in php this is the entire page:

                      Code:
                      $url = "http://www.php.net";
                      header( "HTTP/1.1 301 Moved Permanently" );
                      header( "Location: $url" );
                      just change the value of $url

                      as for wanting to be on a secure page for some of the time (https) and if you want them to come from a specific path...DON't use the referrer variable - too easy to spoof

                      use session variables instead. Better yet - really reevaluate why you want the https pages in the first place.

                      JS
                      John,
                      --------------------------------
                      John Strasser
                      Phone: 480 - 273 - 8798

                      Comment


                      • #12
                        I work as a contractor for the Navy and all sites *had* to go to HTTPS - so during the break in phase I just "Required" SSL and used the error code to redirect.

                        Worked like a champ until they closed port 80 on the firewall but still.....

                        In IIS you can set a redirect as well, and as well on Apache.


                        The customerrorpage you would use is:

                        HTTP 403.5 - Forbidden: SSL 128 required
                        Last edited by Scott Turchin; 11 Jul 2009, 12:59 PM.
                        Scott Turchin
                        MCSE, MCP+I
                        http://www.tngbbs.com
                        ----------------------
                        True Karate-do is this: that in daily life, one's mind and body be trained and developed in a spirit of humility; and that in critical times, one be devoted utterly to the cause of justice. -Gichin Funakoshi

                        Comment

                        Working...
                        X