ASP.NET MVC - HTML.BeginForm and SSL


ASP.NET MVC - HTML.BeginForm and SSL



I am encountering an issue with what should be a simple logon form in ASP.NET MVC 2. Essentially my form looks a little something like this:

using (Html.BeginForm("LogOn", "Account", new { area = "Buyers" }, FormMethod.Post, new { ID = "buyersLogOnForm" })) 

I have a RequiresHTTPS filter on the LogOn Action method but when it executes I receive the following message

The requested resource can only be accessed via SSL

At this point the only solution that worked was to pass in an extra action htmlattribute as follows:

 var actionURL = "https://"  + Request.Url.Host + Request.Url.PathAndQuery;     using (Html.BeginForm("LogOn", "Account", new { area = "Buyers" }, FormMethod.Post, new { ID = "buyersLogOnForm", @action = actionURL })) 

While this works I wonder a) why i am seeing this issue in the first place and b) if there is a more straightforward way of posting to https from a http page?

[Edit]

I should have stated that the logon dropdown will be available on many public pages. I do not want all of my pages to be HTTPS. For instance, my hope page - which ANYONE can see - should not be HTTPS based. Essentially I need to specify the protocol in my form but have no idea how to do that, or if it is possible.

I would appreciate any advice/suggestions. Thanks in advance

JP


SSI-like feature in ASP.NET / ASP.NET MVC

1:

how do i load thousands of rows in my asp.net mvc project from database into slickgrid?
You could use . HTML.DropDownList values from multiple sources?
<form action =" <%= Url.Action( "action", "controller", ViewContext.RouteData.Values, "https" ) %>" method="post" > 
Authentication for IIS content in virtual directory under ASP.NET MVC websiteHow can I get the client side date and currency formats?

2:

When to use Singleton vs Transient vs Request using Ninject and MongoDB
Use the [RequireHttps] attrialthough e on both the action this renders the form and the one you are posting to.. ASP.NET MVC Registration With Captcha
ASP.NET MVC: Why is `ToMvcHtmlString` not public?

3:

Update: Review the comments below around the security vulnerabilities of this approach before considering the use of this code.. I found this a hybrid of JP and Malcolm's code examples worked. .
using (Html.BeginForm("Login", "Account", FormMethod.Post, new { @action = Url.Action("Login","Account",ViewContext.RouteData.Values,"https") })) 
Still felt a bit hacky though so I created a custom BeginForm helper. The custom helper is cleaner and does not require https when running locally. .
public static MvcForm BeginFormHttps(this HtmlHelper htmlHelper, string actionName, string controllerName)     {         TagBuilder form = new TagBuilder("form");         UrlHelper Url = new UrlHelper(htmlHelper.ViewContext.RequestContext);          //convert to https when deployed         string protocol = htmlHelper.ViewContext.HttpContext.Request.IsLocal == true? "http" : "https";          string formAction = Url.Action(actionName,controllerName,htmlHelper.ViewContext.RouteData.Values,protocol);         form.MergeAttrialthough e("action", formAction);          FormMethod method = FormMethod.Post;         form.MergeAttrialthough e("method", HtmlHelper.GetFormMethodString(method), true);          htmlHelper.ViewContext.Writer.Write(form.ToString(TagRenderMode.StartTag));          MvcForm mvcForm = new MvcForm(htmlHelper.ViewContext);          return mvcForm;     } 
Example usage:.
@using (Html.BeginFormHttps("Login", "Account")) 


82 out of 100 based on 67 user ratings 542 reviews

#