- Why would I need this?
- If you have a page that loads in HTTP (unsecure) and HTTPS (secure) you may have a need for this when requesting information on a form that involves private information.
- What is “Private” information
- Up to your discretion but a site (http://support.exware.com/ssl.html) that I found helps to describe it nicely.
- Paraphrased from the link above:
- Private data is information that should only be known to you (the website owner) and the user. The most obvious example is credit card numbers.
- Passwords may also be sensitive if they access private data or functions, such as bank account statements, email inboxes, and so on. Passwords that merely access a members-only area are less sensitive, because these resources are shared and not truly private.
Note that personal information such as names, email addresses, phone numbers, and mailing addresses are not private. This is information that is meant to be shared with others. SSL does not really protect information that is already publicly available in more accessible formats such as the phone book.
- There is a grey zone between private data (which should be known only to you and the user), and personal data (which is known and used by many others). Individual pieces of personal data may not be a big deal, but if you collect enough personal data, identity theft may become a plausible threat. Special account or identity numbers (SSN, SIN, drivers license, health care, or passport numbers for example), along with birth dates, common security questions (eg. mother’s maiden name, names of family members), and information of that nature may collectively comprise an identity that could be stolen for nefarious purposes. The more of this sort of information you collect, the more SSL might be a worthwhile addition to your security policy.
In the code example below replace
strWork = strQUERY_STRING.Replace("http://kittell.net", "http://www.kittell.net");
public void ForceSSL()
{
string strQUERY_STRING;
string strSecureURL = "";
string strWork;
string sDebugForceSSL = "";
HttpContext context = HttpContext.Current;
if (context.Request.ServerVariables["SERVER_PORT"] == "80")
{
// Get server variables
strQUERY_STRING = context.Request.Url.AbsoluteUri.ToString();
// strQUERY_STRING += context.Request.ServerVariables["QUERY_STRING"];
sDebugForceSSL = "<br/>Insecure URL: " + strQUERY_STRING;
// Fix the query string:
strWork = strQUERY_STRING.Replace("http://<website address>", "http://www.<website address>");
strWork = strWork.Replace("http", "https");
strWork = strWork.Replace("403;", "");
strWork = strWork.Replace("80", "");
// Now, set the new, secure URL:
strSecureURL = strWork;
sDebugForceSSL += "<br/>Secure URL: " + strSecureURL;
// uncomment for sanity check.
context.Response.Redirect(strSecureURL);
}
// return strSecureURL;
}
protected void Page_Load(object sender, EventArgs e)
{
#region ForceSSL Load
ForceSSL();
#endregion ForceSSL Load
}
Originally Posted on July 9, 2013
Last Updated on June 13, 2017
Last Updated on June 13, 2017
All information on this site is shared with the intention to help. Before any source code or program is ran on a production (non-development) system it is suggested you test it and fully understand what it is doing not just what it appears it is doing. I accept no responsibility for any damage you may do with this code.