[FIXED] [#769] [3.2.0] Require Https

Page 1 of 2 12 LastLast
  1. #1

    [FIXED] [#769] [3.2.0] Require Https

    Index 1
    <!DOCTYPE html>
    <html>
    <head id="Head1" runat="server">
    </head>
    <body>
        <ext:ResourceManager RenderScripts="CDN" RenderStyles="CDN" runat="server" />
        <h1>Index 1</h1>
        <ext:Button Text="Redirect to Index 2" DirectClickUrl="~/Example/RedirectToIndex2" runat="server" />
    </body>
    </html>
    Index 2
    <!DOCTYPE html>
    <html>
    <head id="Head1" runat="server">
    </head>
    <body>
        <ext:ResourceManager RenderScripts="CDN" RenderStyles="CDN" runat="server" />
        <h1>Index 2</h1>
        <ext:Button Text="Redirect to Index 1" DirectClickUrl="~/Example/RedirectToIndex1" runat="server" />
    </body>
    </html>
    Scenario 1 - Index 1 requires HTTPS

    On Index1, all Ext.NET CDN where loaded using https protocol, what is ok.

    Press Redirect to Index 2

    On Index2, all Ext.NET CDN where loaded using https protocol, what, in my opinion, is wrong.

    namespace SandBox.Controllers
    {
        public class ExampleController : System.Web.Mvc.Controller
        {
            [RequireHttps]
            public ActionResult Index1()
            {
                return View();
            }
    
            public ActionResult Index2()
            {
                return View();
            }
    
            public ActionResult RedirectToIndex1()
            {
                return this.RedirectToAction("Index1", "Example");
            }
    
            public ActionResult RedirectToIndex2()
            {
                return this.RedirectToAction("Index2", "Example");
            }
        }
    }
    Scenario 2 - Index 2 requires HTTPS

    On Index1, all Ext.NET CDN where loaded using http protocol, what is ok.

    Press Redirect to Index 2

    Exception is thrown due to CDN resources url protocol.

    namespace SandBox.Controllers
    {
        public class ExampleController : System.Web.Mvc.Controller
        {
            public ActionResult Index1()
            {
                return View();
            }
    
            [RequireHttps]
            public ActionResult Index2()
            {
                return View();
            }
    
            public ActionResult RedirectToIndex1()
            {
                return this.RedirectToAction("Index1", "Example");
            }
    
            public ActionResult RedirectToIndex2()
            {
                return this.RedirectToAction("Index2", "Example");
            }
        }
    }
    Thanks in advance.
    Last edited by Daniil; Mar 26, 2015 at 10:19 AM. Reason: [FIXED] [#769] [3.2.0]
  2. #2
    Hi Raphael,

    A CDN path's http or https is chosen basing on HttpContext.Current.Request.IsSecureConnection.

    So, it looks like a connection is considered secure or not basing on a request that initiates redirection.

    I am not sure what we could do with that. Do you have any suggestion?
  3. #3
    So, it looks like a connection is considered secure or not basing on a request that initiates redirection.
    Once CDN path is "build", all requests will receive the same path, no matter if security has changed.

    It would be possible to overcome it by doing the following:
    private static string CDNPlusVer = null;
    
    private static string SecureCDNPlusVer = null;
    
    internal static string CDNPath
    {
        get
        {
            if(HttpContext.Current.Request.IsSecureConnection)
            {
                if (string.IsNullOrEmpty(SecureCDNPlusVer))
                {
                    var ver = FileVersionInfo.GetVersionInfo(Assembly.GetExecutingAssembly().Location);
                    SecureCDNPlusVer = string.Format("https://speed.ext.net/ext.net/{0}.{1}.{2}", ver.ProductMajorPart, ver.ProductMinorPart, ver.ProductBuildPart);
                }
                return SecureCDNPlusVer;
            }
            else
            {
                if (string.IsNullOrEmpty(CDNPlusVer))
                {
                    var ver = FileVersionInfo.GetVersionInfo(Assembly.GetExecutingAssembly().Location);
                    CDNPlusVer = string.Format("http://speed.ext.net/ext.net/{0}.{1}.{2}", ver.ProductMajorPart, ver.ProductMinorPart, ver.ProductBuildPart);
                }
                return CDNPlusVer;
            }
        }
    }
    Last edited by RCN; Mar 23, 2015 at 1:35 PM.
  4. #4
    Thank you for the suggestion!

    Well... something confuses me. If a page is requested with http why the resources should be requested with https and otherwise?
  5. #5
    Well... something confuses me. If a page is requested with http why the resources should be requested with https and otherwise?
    It's not a problem at all to load resources using https when page is loaded using http, but loading resources using http when page is loaded using https raises security issues.

    The code provided on post #3 will "force" the resources to be loaded using the same page's protocol.
    Last edited by RCN; Mar 23, 2015 at 2:02 PM.
  6. #6
    Oh, I finally got it. Thanks! Created an Issue.
    https://github.com/extnet/Ext.NET/issues/769

    I think that IsSecureConnection should be checked on each request.

    v2: fixed in the revision 6405 (branches/2). It goes to 2.5.4.
    v3: fixed in the revision 6406 (trunk). It goes to 3.2.0.

    We would appreciate if you can update and retest it on your side.
  7. #7
    We would appreciate if you can update and retest it on your side.
    I confirm it's working as expected.
    I think that IsSecureConnection should be checked on each request.
    Daniil, on suggested approach provided on post #3, IsSecureConnection is ckecked on each request (line 5). The difference between it and the checked in code is that on mine i do not have to build the path on each request, both http and https paths are build just once.

    It's up to you whether there is a need to build it on each request.

    Once again, thank you.

    Approach provided on post #3
    internal static string CDNPath
    {
        get
        {
            if(HttpContext.Current.Request.IsSecureConnection)
            {
                if (string.IsNullOrEmpty(SecureCDNPlusVer))
                {
                    var ver = FileVersionInfo.GetVersionInfo(Assembly.GetExecutingAssembly().Location);
                    SecureCDNPlusVer = string.Format("https://speed.ext.net/ext.net/{0}.{1}.{2}", ver.ProductMajorPart, ver.ProductMinorPart, ver.ProductBuildPart);
                }
                return SecureCDNPlusVer;
            }
            else
            {
                if (string.IsNullOrEmpty(CDNPlusVer))
                {
                    var ver = FileVersionInfo.GetVersionInfo(Assembly.GetExecutingAssembly().Location);
                    CDNPlusVer = string.Format("http://speed.ext.net/ext.net/{0}.{1}.{2}", ver.ProductMajorPart, ver.ProductMinorPart, ver.ProductBuildPart);
                }
                return CDNPlusVer;
            }
        }
    }
    Checked in code
    internal static string CDNPath
    {
        get
        {
            if (string.IsNullOrEmpty(CDNPlusVer))
            {
                var ver = FileVersionInfo.GetVersionInfo(Assembly.GetExecutingAssembly().Location);
                CDNPlusVer = string.Format("://speed.ext.net/ext.net/{0}.{1}.{2}", ver.ProductMajorPart, ver.ProductMinorPart, ver.ProductBuildPart);
            }
                   
            return (HttpContext.Current.Request.IsSecureConnection ? "https" : "http") + CDNPlusVer;
        }
    }
  8. #8
    Thank you for the confirmation.

    I see your approach is good as well! Thank you for clarifying.
  9. #9
    Daniil, on suggested approach provided on post #3, IsSecureConnection is ckecked on each request (line 5). The difference between it and the checked in code is that on mine i do not have to build the path on each request, both http and https paths are build just once.
    On the point of superior performance, I up-vote RCN's implementation with the following adjustment for further improvement in performance.

    internal static string CDNPath
    {
        get
        {
            if(HttpContext.Current.Request.IsSecureConnection)
            {
                if (string.IsNullOrEmpty(SecureCDNPlusVer))
                {
                    var ver = FileVersionInfo.GetVersionInfo(Assembly.GetExecutingAssembly().Location);
                    SecureCDNPlusVer = string.Concat(@"https://speed.ext.net/ext.net/", ver.ProductMajorPart, ".", ver.ProductMinorPart, ".", ver.ProductBuildPart);            }
                return SecureCDNPlusVer;
            }
            else
            {
                if (string.IsNullOrEmpty(CDNPlusVer))
                {
                    var ver = FileVersionInfo.GetVersionInfo(Assembly.GetExecutingAssembly().Location);
                    CDNPlusVer = string.Concat(@"http://speed.ext.net/ext.net/", ver.ProductMajorPart, ".", ver.ProductMinorPart, ".", ver.ProductBuildPart);
    
                }
                return CDNPlusVer;
            }
        }
    Reason being that Format is typically more expensive because of parsing. It's not a serious issue, but if you really want your product at full-max, it's always a better to use Concat over Format. Format should only ever be used for highly complex formats.

    Moreover, I'd go even further and precalculate ProductFullVersion for internal use in the product...
    ProductFullVersion = string.Concat(ver.ProductMajorPart, ".", ver.ProductMinorPart, ".", ver.ProductBuildPart);
  10. #10
    Michael, thank you for sharing that, i agree 100%.
Page 1 of 2 12 LastLast

Posting Permissions