I’m using the IIS 7 rewrite module to redirect a page to use https if http is detected.
Is it possible that the rewrite module can be bypassed? Would be overkill to also put in an https check in the page_load code as well?
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’m using the IIS 7 rewrite module to redirect a page to use https if http is detected.
Is it possible that the rewrite module can be bypassed? Would be overkill to also put in an https check in the page_load code as well?
If you want to force SSL the best way to do it is using only the port 443. If you only need SSL in some pages of your website my recommendation is to move these files into a special web application or virtual directory. Doing this you can force the SSL connection for these files without worrying about rewrite rules. You can check how to do it here: http://learn.iis.net/page.aspx/144/how-to-set-up-ssl-on-iis-7/
Allowing HTTP and HTTPS connections to the same resource can be used to perform a cookie stealing attack if the application cookies are not using the “Secure” attribute.