Over a million developers have joined DZone.
Platinum Partner

Skipping SSL Connections Locally

· Web Dev Zone

The Web Dev Zone is brought to you in partnership with Mendix. Download this Forrester Report to gain a better understanding of the low-code platform market and how to make a strategic platform selection you won’t regret.

When developing locally, often times you don’t want to use SSL for a variety of reasons.  There’s no real point, since the request isn’t going over the wire.  Most of the time, connections are done via the loopback 127.0.0.1 address (although localhost can be used) which throws certificate errors. 

This one problem is often easy to solve, but it relates to a bigger issue: dictating when (and when not) to use SSL on your site.  In the ol’ days, you wouldn’t want an entire site to be SSL for performance reasons.  Ideally, you want to gracefully redirect users to/from SSL based on the requirements of the page.  If a user navigates to a secure section like their account page, you’d like to use SSL.  If they navigate away to a page not needing SSL, you’d want to use http and not https. 

There are a LOT of ways to do this, such as using MVC filters for MVC based applications.  One way I’ve solved this before was simply calling a method like so with each request:

WinRT RoamingSettings and Serialization | Microsoft DevRadio: (Part 2) Using Windows Azure to Build Back-End Services for Windows 8 Apps
Skipping SSL Connections Locally
0Comments

When developing locally, often times you don’t want to use SSL for a variety of reasons.  There’s no real point, since the request isn’t going over the wire.  Most of the time, connections are done via the loopback 127.0.0.1 address (although localhost can be used) which throws certificate errors. 

This one problem is often easy to solve, but it relates to a bigger issue: dictating when (and when not) to use SSL on your site.  In the ol’ days, you wouldn’t want an entire site to be SSL for performance reasons.  Ideally, you want to gracefully redirect users to/from SSL based on the requirements of the page.  If a user navigates to a secure section like their account page, you’d like to use SSL.  If they navigate away to a page not needing SSL, you’d want to use http and not https. 

There are a LOT of ways to do this, such as using MVC filters for MVC based applications.  One way I’ve solved this before was simply calling a method like so with each request:

private void SetupSslIfNeeded()
{           
    //bail out on local connections – never need ssl
    if (Request.IsLocal)
    {
        return;
    }

    bool requiresSsl = false;
    string curPath = Request.Path;

    if (curPath.StartsWith("/account", StringComparison.OrdinalIgnoreCase) ||
        curPath.StartsWith("/user", StringComparison.OrdinalIgnoreCase) ||
        curPath.StartsWith("/admin", StringComparison.OrdinalIgnoreCase))
    {
        requiresSsl = true;
    }

    //redirect to secure page
    if (requiresSsl && !Page.Request.IsSecureConnection)
    {
        string currentUrl = HttpContext.Current.Request.Url.ToString();
        string newUrl = currentUrl.Replace("http://", "https://");
        Response.Redirect(newUrl);
    }

    //redirect to non-secure page
    if (!requiresSsl && Page.Request.IsSecureConnection)
    {
        string currentUrl = HttpContext.Current.Request.Url.ToString();
        string newUrl = currentUrl.Replace("https://", "http://");

        Response.Redirect(newUrl);
    }
}

It’s a little more verbose than it needs to be, but it’s done to because there were a few port handling lines I left out for simplicity. 

What this will do is avoid using SSL for local connections, and any page on the site except for those in the account, user, or admin folders.  The main downside of this approach is that it requires a redirect, which is a round trip to the server.  Ideally, you’d want your links to always be smart enough to know if they should go http:// or https://, but realistically, context switching between SSL and non-SSL pages is pretty rare so the client needing to endure the few extra milliseconds is an acceptable situation.  This is the way we currently handle SSL on http://www.rockpaperazure.com



The Web Dev Zone is brought to you in partnership with Mendix. Better understand the aPaaS landscape and how the right platform can accelerate your software delivery cadence and capacity with the Gartner 2015 Magic Quadrant for Enterprise Application Platform as a Service.

Topics:

Published at DZone with permission of Brian Hitney , DZone MVB .

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}