Thursday, June 10, 2010

Redirect to HTTPS

I got asked a question today from one of my System Engineers with respect to redirecting HTTP traffic to HTTPS.  The Web server is IIS, but it shouldn't make a difference.
Explicit Requirements:
  • Web Server Global Redirect (vs. per individual Web application).
  • Present to the user a generic message stating that the URI has changed and suggesting to the user update any associated bookmarks.
  • Minimize any IIS metabase modifications.
Implicit Requirements:
  • Web request discovery so that redirect is identical to the original request with the exception of the protocol - this eliminates a metadata redirect.
  • Redirect delay - present the user with the aforementioned redirect and once a configured delay has expired, redirect the user using the secure protocol.
Searching around the Internet, I found a few excellent examples; however, I could not find a solution that fulfilled all of our requirements, so I designed a solution. We decided to create a custom 403 error page.  This error page includes the aforementioned generic message  and some JavaScript  for redirect.  The JavaScript includes an optional parameter for redirect delay.  The JavaScript implementation is below:
var rdcore = {
    redirectToSsl: function(delay){ /* @delay:int or null - delay in seconds before the redirect is executed. */
        delay = (delay) ? (delay * 1000) : 0;
            var oldUrl = window.location.hostname + window.location.pathname +;
            window.location = 'https://' + oldUrl;
        }, delay);
// parameter is the delay in seconds (integer or null) before the redirect is executed.

No comments: