RequireHttps和路由到HTTPS URL [英] RequireHttps and routing to https URL
问题描述
我使用的是RequireHttps大部分在我的用户控制器,它处理登录的动作和我的安全https网页属性。
I am using the RequireHttps attribute on most of the actions in my User controller which handles the login and my secure https pages.
在我的主页地址是http我有一个链接到我的登录页面如下(MVC 4的Razor视图): -
On my Home Page which is http I have a link to my login page as follows (MVC 4 Razor View):-
<a href="@Url.Action("Login", "User")">Login</a>
该链接是否正确进入登录页面使用https地址。然而,当我看在IIS日志我看到有两个条目的登录网址,一个在80端口,一个端口443上。
The link correctly goes to the login page with an https address. However, when I look in the IIS log I see there are two entries for the login URL, one on port 80 and one on port 443.
这是一个问题,我应该关心?
Is this an issue I should be concerned about?
我知道我的@ Url.Action我可能会迫使HTTPS模式,但不知道这是最好的方式。加上这个删除的端口,在2012年VS使用IIS防爆preSS时,那么我不得不进一步扩大@ Url.Action包括主机名而烦恼:端口
I know on my @Url.Action I could force https mode, but not sure if this is the best way. Plus this removes the port, which is annoying when using IIS Express in VS 2012. I'd then have to further extend the @Url.Action to include the hostname:port.
所以,我只是检查,如果(a)本应该是一个关注及(b)如果它是一个问题,是否有任何其他的方式来迫使网址为https。
So I am just checking if (a) this should be a concern and (b) if it is a concern whether there are any other ways to forcing the URL to https.
推荐答案
大多数教程会同意,由具有混合模式站点(HTTP和HTTPS)你击败SSL的目的(有一定的路径需要SSL然后切换回到非SSL连接)。当你切换到HTTPS我们建议您强制用户,直到他们退出留下来使用HTTPS的一切,最起码。我有一个使用HTTPS一个网站,一旦你打的网站,我只用一个URL重写规则的用户切换到HTTPS,只有HTTPS是允许的。
Most tutorials will agree that by having a mixed mode site (both HTTP and HTTPS) you're defeating the purpose of SSL (having certain paths require SSL then switching back to a non SSL connection). Once you switch to HTTPS it's recommended that you force the user to stay using HTTPS for everything, at the very least until they logout. I have one site that uses HTTPS and once you hit the site, I just use a URL Rewrite rule to switch the user to HTTPS, and only HTTPS is allowed.
<rewrite>
<rules>
<rule name="Redirect HTTP to HTTPS" stopProcessing="true">
<match url="(.*)"/>
<conditions>
<add input="{HTTPS}" pattern="^OFF$"/>
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="SeeOther"/>
</rule>
</rules>
</rewrite>
一旦你做到这一点也建议设置身份验证Cookie要求HTTPS为好。 Forms身份验证,这是在你的web.config设置下列一样简单。
Once you do this it's also recommended to set the authentication cookie to require HTTPS as well. For Forms authentication this is as simple as setting the following in your web.config.
<authentication>
<forms requireSSL="true" />
</authentication>
我也建议寻找一些可以设置为浏览器帮助正确对待的网站,如采用严格,运输和安全性,以表明该网站要求SSL的头。请记住,虽然头是你可以采取一个伟大的补充措施,最终他们都留给浏览器执行,不应仅仅依靠。
I would also recommend looking at some of the Headers that can be set to help browsers treat the site correctly, like using Strict-Transport-Security to signify that the site requires SSL. Keep in mind that while Headers are a great supplemental measure you can take, ultimately they are left for the browser to enforce and should not be relied on exclusively.
我建议这些步骤,因为我不会从你描述症状受苦,我希望他们会帮助解决你在日志中注意到的问题。
I recommend these steps because I don't suffer from the symptom you're describing and am hoping they'll help resolve the issue you're noticing in the logs.
AMMENDMENT:呵呵,我也忘了提,HTTPS是一个小更密集的建立比普通的旧式HTTP使用连接。在事物的宏伟计划不是很多,但还是它的东西。我建议你使用 HTTP保持活动以便减少一些开销。
AMMENDMENT: Oh and I also forgot to mention, HTTPS is a little more intensive to establish a connection with than plain old HTTP. Not much in the grand scheme of things but still it's something. I'd recommend you utilize HTTP Keep Alive so as to reduce some of that overhead.
更新:通信的SSL并不意味着你进行身份验证。它只是意味着你在说通过安全/加密连接。
UPDATE: Communicating over SSL doesn't imply that you are authenticated. It just means you're talking over a secure/encrypted connection.
把你的亚马逊的例子可以说。如果你访问该网站,你会喜欢得到的只是通过HTTP连接正常。你在你只是浏览网站不被记录。如果你想,你可以切换到HTTPS和你仍然得到同样的网站,但你没有登录。现在,如果你尝试登录,你会被重定向使你说话通过SSL(如果你没有的话)由HTTPS绰号指出。即使你真的登陆您仍然会通过SSL通信。 即使尝试手动切换到,而你是通过从URL的协议部分在S登录不使用SSL,它仍然会送你回使用HTTPS。这是做它的正确途径。它通常建议您不进行身份验证后,返回到非加密的会话。这通常是为了避免会话劫持,因为您的身份验证cookie绝不会通过纯HTTP发送。请确保您有对外部资源的资源,一些对你信任的网站。而在HTTP连接外部资源的访问也应通过SSL连接。再次,只是因为你通过SSL通讯并不意味着你登录到这些来源。对于我的应用程序是通过SSL 100%的访问,但我也有谷歌分析和谷歌地图网站(显然都是外在于我的域)上的整合。我只是确保我跟谷歌通过SSL。我没有真正登录到谷歌使用任何的那些东西。这同样适用于你的外部图像。只是要用来引用这些外部图像确保您的URL使用HTTPS名字,以便它使用SSL的定义。
Take your Amazon example lets say. If you visit the site, you'll like get just a normal connection over HTTP. You're aren't logged in you're just browsing the site. If you wanted you could switch to HTTPS and you'd still get the same site but you're not logged in yet. Now if you try to login you'll get redirected so that you talk over SSL (if you're not already) as noted by the HTTPS moniker. Even after you actually login you will still be communicating over SSL. Even if you try to manually switch to not using SSL while you are logged in by removing the S from the protocol part of the URL, it'll still send you back to using HTTPS. This is the correct way of doing it. It's generally suggested that you not return to a non encrypted session after authenticating. This is typically to avoid session hijacking since your authentication cookie would never be sent over plain HTTP. Make sure the resources you have on external sources, are on sites that you trust. External resources access while in a HTTP connection should also be over an SSL connection. Again just because you communicate over SSL doesn't mean you're logged into those sources. For my app is 100% access over SSL, but I also have Google analytics and Google maps integration on the site (obviously both are external to my domain). I just make sure that I talk to Google over SSL. I don't have to actually be logged into Google to use any of those things. The same goes for your external images. Just make sure your URL's used to reference those external images are defined using the HTTPS moniker so that it uses SSL.
更新:你的日志一样,在获得两个命中的原因是因为你登录所请求的链接是通过HTTP协议,则需要HTTPS属性命中第一你不使用实现SSL并重定向你回到自己的HTTPS协议。如果您更新ActionLink的网址就可以解决这个问题,但你知道它变得难看。
UPDATE: The reason you're getting two hits in the log like that is because you're login link is being requested over HTTP, the Require HTTPS attribute hits first realizes you're not using SSL and redirects you back to itself with the HTTPS protocol. If you update your ActionLink URL you can get around this, but as you know it gets ugly.
Url.Action("Login", "User", null, "https", Request.Url.Host)
这篇关于RequireHttps和路由到HTTPS URL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
