What's New?

[FIXED] [#769] [3.2.0] Require Https

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Mar 19, 2015, 6:54 PM

    [FIXED] [#769] [3.2.0] Require Https

    Index 1
    <!DOCTYPE html>
<html>
<head id="Head1" runat="server">
</head>
<body>
    <ext:ResourceManager RenderScripts="CDN" RenderStyles="CDN" runat="server" />
    <h1>Index 1</h1>
    <ext:Button Text="Redirect to Index 2" DirectClickUrl="~/Example/RedirectToIndex2" runat="server" />
</body>
</html>
    Index 2
    <!DOCTYPE html>
<html>
<head id="Head1" runat="server">
</head>
<body>
    <ext:ResourceManager RenderScripts="CDN" RenderStyles="CDN" runat="server" />
    <h1>Index 2</h1>
    <ext:Button Text="Redirect to Index 1" DirectClickUrl="~/Example/RedirectToIndex1" runat="server" />
</body>
</html>
    Scenario 1 - Index 1 requires HTTPS

    On Index1, all Ext.NET CDN where loaded using https protocol, what is ok.

    Press Redirect to Index 2

    On Index2, all Ext.NET CDN where loaded using https protocol, what, in my opinion, is wrong.

    namespace SandBox.Controllers
{
    public class ExampleController : System.Web.Mvc.Controller
    {
        [RequireHttps]
        public ActionResult Index1()
        {
            return View();
        }

        public ActionResult Index2()
        {
            return View();
        }

        public ActionResult RedirectToIndex1()
        {
            return this.RedirectToAction("Index1", "Example");
        }

        public ActionResult RedirectToIndex2()
        {
            return this.RedirectToAction("Index2", "Example");
        }
    }
}
    Scenario 2 - Index 2 requires HTTPS

    On Index1, all Ext.NET CDN where loaded using http protocol, what is ok.

    Press Redirect to Index 2

    Exception is thrown due to CDN resources url protocol.

    namespace SandBox.Controllers
{
    public class ExampleController : System.Web.Mvc.Controller
    {
        public ActionResult Index1()
        {
            return View();
        }

        [RequireHttps]
        public ActionResult Index2()
        {
            return View();
        }

        public ActionResult RedirectToIndex1()
        {
            return this.RedirectToAction("Index1", "Example");
        }

        public ActionResult RedirectToIndex2()
        {
            return this.RedirectToAction("Index2", "Example");
        }
    }
}
    Thanks in advance.
    Last edited by Daniil; Mar 26, 2015 at 10:19 AM. Reason: [FIXED] [#769] [3.2.0]
  2. #2
    Mar 20, 2015, 7:58 PM
    Hi Raphael,

    A CDN path's http or https is chosen basing on HttpContext.Current.Request.IsSecureConnection.

    So, it looks like a connection is considered secure or not basing on a request that initiates redirection.

    I am not sure what we could do with that. Do you have any suggestion?
  3. #3
    Mar 23, 2015, 11:43 AM
    So, it looks like a connection is considered secure or not basing on a request that initiates redirection.
    Once CDN path is "build", all requests will receive the same path, no matter if security has changed.

    It would be possible to overcome it by doing the following:
    private static string CDNPlusVer = null;

private static string SecureCDNPlusVer = null;

internal static string CDNPath
{
    get
    {
        if(HttpContext.Current.Request.IsSecureConnection)
        {
            if (string.IsNullOrEmpty(SecureCDNPlusVer))
            {
                var ver = FileVersionInfo.GetVersionInfo(Assembly.GetExecutingAssembly().Location);
                SecureCDNPlusVer = string.Format("https://speed.ext.net/ext.net/{0}.{1}.{2}", ver.ProductMajorPart, ver.ProductMinorPart, ver.ProductBuildPart);
            }
            return SecureCDNPlusVer;
        }
        else
        {
            if (string.IsNullOrEmpty(CDNPlusVer))
            {
                var ver = FileVersionInfo.GetVersionInfo(Assembly.GetExecutingAssembly().Location);
                CDNPlusVer = string.Format("http://speed.ext.net/ext.net/{0}.{1}.{2}", ver.ProductMajorPart, ver.ProductMinorPart, ver.ProductBuildPart);
            }
            return CDNPlusVer;
        }
    }
}
    Last edited by RCN; Mar 23, 2015 at 1:35 PM.
  4. #4
    Mar 23, 2015, 1:55 PM
    Thank you for the suggestion!

    Well... something confuses me. If a page is requested with http why the resources should be requested with https and otherwise?
  5. #5
    Mar 23, 2015, 1:59 PM
    Well... something confuses me. If a page is requested with http why the resources should be requested with https and otherwise?
    It's not a problem at all to load resources using https when page is loaded using http, but loading resources using http when page is loaded using https raises security issues.

    The code provided on post #3 will "force" the resources to be loaded using the same page's protocol.
    Last edited by RCN; Mar 23, 2015 at 2:02 PM.
  6. #6
    Mar 26, 2015, 10:18 AM
    Oh, I finally got it. Thanks! Created an Issue.
    https://github.com/extnet/Ext.NET/issues/769

    I think that IsSecureConnection should be checked on each request.

    v2: fixed in the revision 6405 (branches/2). It goes to 2.5.4.
    v3: fixed in the revision 6406 (trunk). It goes to 3.2.0.

    We would appreciate if you can update and retest it on your side.

Posting Permissions