Home/ Questions/Q 6148717
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T19:19:40+00:00

This Action Filter doesn’t seem to work consistently. Some times it turns SSL off

  • 0

This Action Filter doesn’t seem to work consistently. Some times it turns SSL off and sometimes it doesn’t. I have it applied to the entire controller at it’s declaration.

   public class SSLFilter:ActionFilterAttribute
    {
            public override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        HttpRequestBase req = filterContext.HttpContext.Request;
        HttpResponseBase res = filterContext.HttpContext.Response;

        if (req.IsSecureConnection)
        {
            var builder = new UriBuilder(req.Url)
            {
                Scheme = Uri.UriSchemeHttp,
                Port = 80
            };
            res.Redirect(builder.Uri.ToString());
        }
        base.OnActionExecuting(filterContext);
    }
    }

It’s kind of odd…any ideas why it might be working sporadically?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Have you tried decorating your controllers/actions with the [RequireHttps] attribute?

    Oops, haven’t noticed you was asking about ASP.NET MVC 2. This attribute is available in ASP.NET MVC 3 only, so here’s the source code for it (as implemented in ASP.NET MVC 3):

    using System;
using System.Diagnostics.CodeAnalysis;
using System.Web.Mvc.Resources;

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = false)]
public class RequireHttpsAttribute : FilterAttribute, IAuthorizationFilter {

    public virtual void OnAuthorization(AuthorizationContext filterContext) {
        if (filterContext == null) {
            throw new ArgumentNullException("filterContext");
        }

        if (!filterContext.HttpContext.Request.IsSecureConnection) {
            HandleNonHttpsRequest(filterContext);
        }
    }

    protected virtual void HandleNonHttpsRequest(AuthorizationContext filterContext) {
        // only redirect for GET requests, otherwise the browser might not propagate the verb and request
        // body correctly.

        if (!String.Equals(filterContext.HttpContext.Request.HttpMethod, "GET", StringComparison.OrdinalIgnoreCase)) {
            throw new InvalidOperationException(MvcResources.RequireHttpsAttribute_MustUseSsl);
        }

        // redirect to HTTPS version of page
        string url = "https://" + filterContext.HttpContext.Request.Url.Host + filterContext.HttpContext.Request.RawUrl;
        filterContext.Result = new RedirectResult(url);
    }

}

    Notice that how instead of doing any redirects it uses a RedirectResult which is the correct way of performing redirects in ASP.NET MVC => by returning action results:

    filterContext.Result = new RedirectResult(url);

    Not only that this will perform the correct redirect but that’s how to short-circuit the execution of an action. Also semantically your filter should actually be an IAuthorizationFilter as you are blocking access to some resource here.

    • 0