问题描述

我有一个用ASP.Net MVC4编写并部署到IIS7.5的网站，用户首先需要登录才能浏览网络的其余部分，因此，例如，源代码如下:

I have a website wrote in ASP.Net MVC4 and deployed to IIS7.5, user first need to sign in before browse the rest of the web, so for example, here's the source look like:

路线:

localhost/project/account/logon
localhost/project/apple
localhost/project/banana

登录方法:

[RequireHttps]
public ActionResult Logon(string returnUrl)
{
    ...
    return View();
}


[HttpPost]
public ActionResult Logon(string user, string pwd, bool remember)
{
    ...
    string url = "/apple";
    return Redirect(url);
}

问题是，用户登录后，我们使用 return Redirect('/apple')将用户重定向到其他链接，它也使用HTTPS https://localhost/project/apple 访问新链接.

The problem is, after user log on, and we redirect user to other link use return Redirect('/apple'), it also uses HTTPS https://localhost/project/apple to visit the new link.

如何防止重定向使用HTTPS?

How can I prevent the redirect from using HTTPS?

推荐答案

您可以使用以下内容:

[HttpPost]
public ActionResult Logon(string user, string pwd, bool remember)
{
    var url = Url.Action("someAction", "someController", null, "http");
    return Redirect(url);
}

但是不要那样做.切勿通过未加密的通道传输会话cookie.一旦对用户进行身份验证，并且您向其发出了身份验证Cookie，则该用户在您的网站上所做的所有操作都应通过SSL发送.我还建议您使用 secure 标志(在web.config中的 requireSSL ="true" )发出表单身份验证cookie.

But don't do that. NEVER transmit a session cookie over an unencrypted channel. Once the user is authenticated and you have emitted him an authentication cookie, everything that this user does on your website should be sent over SSL. I would also recommend you emitting your forms authentication cookies with the secure flag (requireSSL="true" in your web.config).

这篇关于强制使用HTTP代替HTTPS的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！