|
it
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Re: server side redirect https => http STILL NOT workingfrom https to http. its not the generation of the URL that is the problem; it just simply seems to ignore the fact that I am redirecting from secure to a plain http page (the other way round always work). The user can click on http links and follow but redirects or AddHeader always stays within https. After reading http://www.4guysfromrolla.com/aspfaqs/ShowFAQ.asp?FAQID=72 (ADPFAQs.com) and http://www.somacon.com/p145.php (Permanent Redirect with HTTP 301) Here is my final code (using AddHeader instead of Redirect) - I also made sure not have ANY output before I call the page. However, some session variables are written (these are needed to identify the user once he is logged on) - Buffering is turned on as per standard. Function redirectNoSSL(sUrl) Dim sNewURL sNewURL = stripSSL(sUrl) If Response.Buffer=True then Response.Clear Response.Buffer=False End If 'Call Response.Redirect(sNewURL) ' instead of redirect! Response.Status = "301 Moved Permanently" Call Response.AddHeader ("Location", sNewURL) End Function (stripSSL works fine, and is supposed to with relative URLs; it just recreates the current URL with http: instead of https, and appends the (relative) target URL, see code below) any other suggestions. Axel ' example: Redirect stripSSL("../../images/head.gif") Function stripSSL(sTarget) Dim host, sUrl, i stripSSL="" if sTarget="" Then Exit Function sUrl=Request.ServerVariables("URL") host=Request.ServerVariables("server_name") i=InStrRev(sUrl, "/") stripSSL= "http://" & host & Left(sUrl,i) & sTarget End Function Adrienne Boswell wrote: Show quoteHide quote > Gazing into my crystal ball I observed Axel <n@pe.com> writing in > news:uHRJEE$rJHA.1492@TK2MSFTNGP03.phx.gbl: > >> Hi >> >> I am trying to redirect from some (login) pages from https to http by >> using >>Response.Redirect<< but it seems to always end up on https > pages >> anyway. The only way I get the users back to http is by them clicking > on >> my (explicit) links but I want to drop them back to http as soon as > they >> are logged in. >> >> The other way around (http to https) works fine. What could cause such > a >> behavior? Maybe some global switch in global.asa? Or cookies set by > the >> secure page? Its really weird. >> >> I am considering doing the redirect client side but I don't want the >> whole page to load and then to the redirect as its slooow. OTOH I am >> scared of cutting the page short server site in case the client > redirect >> method fails (e.g. due to ignoring javascript or meta headers). Is > there >> a sure fire way to redirect to non-secure after successful login? >> >> thanks in advance >> Axel >> > > Here's what I do: > > serverswitchon = "https://" & request.servervariables("SERVER_NAME") > serverswitchon = serverswitchon & left(request.servervariables > ("PATH_INFO"),instrrev(request.servervariables("PATH_INFO"),"/")) > serverswitchoff = "http://" & request.servervariables("SERVER_NAME") > serverswitchoff = serverswitchoff & left(request.servervariables > ("PATH_INFO"),instrrev(request.servervariables("PATH_INFO"),"/")) > > response.redirect serverswitchoff & "pagename.asp" 'to http > response.redirect serverswitchon & "pagename.asp" 'to https > Gazing into my crystal ball I observed Axel <n@pe.com> writing in
news:u88YUSpwJHA.5516@TK2MSFTNGP02.phx.gbl: Please do not top post - it confuses the order of the conversation.Top posting corrected. See below: Show quoteHide quote > Adrienne Boswell wrote: Did you try my method (watch wrapping)? I have no problems here doing >> Gazing into my crystal ball I observed Axel <n@pe.com> writing in >> news:uHRJEE$rJHA.1492@TK2MSFTNGP03.phx.gbl: >> >>> Hi >>> >>> I am trying to redirect from some (login) pages from https to http by >>> using >>Response.Redirect<< but it seems to always end up on https >> pages >>> anyway. The only way I get the users back to http is by them clicking >> on >>> my (explicit) links but I want to drop them back to http as soon as >> they >>> are logged in. >>> >>> The other way around (http to https) works fine. What could cause such >> a >>> behavior? Maybe some global switch in global.asa? Or cookies set by >> the >>> secure page? Its really weird. >>> >>> I am considering doing the redirect client side but I don't want the >>> whole page to load and then to the redirect as its slooow. OTOH I am >>> scared of cutting the page short server site in case the client >> redirect >>> method fails (e.g. due to ignoring javascript or meta headers). Is >> there >>> a sure fire way to redirect to non-secure after successful login? >>> >>> thanks in advance >>> Axel >>> >> >> Here's what I do: >> >> serverswitchon = "https://" & request.servervariables("SERVER_NAME") >> serverswitchon = serverswitchon & left(request.servervariables >> ("PATH_INFO"),instrrev(request.servervariables("PATH_INFO"),"/")) >> serverswitchoff = "http://" & request.servervariables("SERVER_NAME") >> serverswitchoff = serverswitchoff & left(request.servervariables >> ("PATH_INFO"),instrrev(request.servervariables("PATH_INFO"),"/")) >> >> response.redirect serverswitchoff & "pagename.asp" 'to http >> response.redirect serverswitchon & "pagename.asp" 'to https >> > Hi - I am still struggling can not make a server side redirect happen > from https to http. this - of course, this is on my local machine, with a local certificate. This is what I did. I created a page - pagename0.asp that I put into my url bar as https://localhost/pagename0.asp . That page comes up and loops through the server variables - https is ON. There is a link to pagename1.asp. Clicking on that (still in https), pagename1.asp response.redirects to http://localhost/pagename3.asp. Pagename3.asp also loops through the server variables, and it shows https is OFF. Show quoteHide quote > > its not the generation of the URL that is the problem; it just simply > seems to ignore the fact that I am redirecting from secure to a plain > http page (the other way round always work). The user can click on http > links and follow but redirects or AddHeader always stays within https. > > After reading > http://www.4guysfromrolla.com/aspfaqs/ShowFAQ.asp?FAQID=72 (ADPFAQs.com) > and > http://www.somacon.com/p145.php (Permanent Redirect with HTTP 301) > > Here is my final code (using AddHeader instead of Redirect) - I also > made sure not have ANY output before I call the page. However, some > session variables are written (these are needed to identify the user > once he is logged on) - Buffering is turned on as per standard. > > Function redirectNoSSL(sUrl) > Dim sNewURL > sNewURL = stripSSL(sUrl) > If Response.Buffer=True then > Response.Clear > Response.Buffer=False > End If > > 'Call Response.Redirect(sNewURL) > ' instead of redirect! > > Response.Status = "301 Moved Permanently" > Call Response.AddHeader ("Location", sNewURL) > End Function > > (stripSSL works fine, and is supposed to with relative URLs; it just > recreates the current URL with http: instead of https, and appends the > (relative) target URL, see code below) > > any other suggestions. > > Axel > > ' example: Redirect stripSSL("../../images/head.gif") > Function stripSSL(sTarget) > Dim host, sUrl, i > stripSSL="" > if sTarget="" Then Exit Function > > sUrl=Request.ServerVariables("URL") > host=Request.ServerVariables("server_name") > > i=InStrRev(sUrl, "/") > stripSSL= "http://" & host & Left(sUrl,i) & sTarget > End Function > > -- Adrienne Boswell at Home Arbpen Web Site Design Services http://www.cavalcade-of-coding.info Please respond to the group so others can share Adrienne Boswell schrieb:
Show quoteHide quote > Gazing into my crystal ball I observed Axel <n@pe.com> writing in Hi Adrian,> news:u88YUSpwJHA.5516@TK2MSFTNGP02.phx.gbl: > > Please do not top post - it confuses the order of the conversation. > Top posting corrected. See below: > >> Adrienne Boswell wrote: >>> Gazing into my crystal ball I observed Axel <n@pe.com> writing in >>> news:uHRJEE$rJHA.1492@TK2MSFTNGP03.phx.gbl: >>> >>>> Hi >>>> >>>> I am trying to redirect from some (login) pages from https to http by >>>> using >>Response.Redirect<< but it seems to always end up on https >>> pages >>>> anyway. The only way I get the users back to http is by them clicking >>> on >>>> my (explicit) links but I want to drop them back to http as soon as >>> they >>>> are logged in. >>>> >>>> The other way around (http to https) works fine. What could cause > such >>> a >>>> behavior? Maybe some global switch in global.asa? Or cookies set by >>> the >>>> secure page? Its really weird. >>>> >>>> I am considering doing the redirect client side but I don't want the >>>> whole page to load and then to the redirect as its slooow. OTOH I am >>>> scared of cutting the page short server site in case the client >>> redirect >>>> method fails (e.g. due to ignoring javascript or meta headers). Is >>> there >>>> a sure fire way to redirect to non-secure after successful login? >>>> >>>> thanks in advance >>>> Axel >>>> >>> Here's what I do: >>> >>> serverswitchon = "https://" & request.servervariables("SERVER_NAME") >>> serverswitchon = serverswitchon & left(request.servervariables >>> ("PATH_INFO"),instrrev(request.servervariables("PATH_INFO"),"/")) >>> serverswitchoff = "http://" & request.servervariables("SERVER_NAME") >>> serverswitchoff = serverswitchoff & left(request.servervariables >>> ("PATH_INFO"),instrrev(request.servervariables("PATH_INFO"),"/")) >>> >>> response.redirect serverswitchoff & "pagename.asp" 'to http >>> response.redirect serverswitchon & "pagename.asp" 'to https >>> > >> Hi - I am still struggling can not make a server side redirect happen >> from https to http. > > Did you try my method (watch wrapping)? I have no problems here doing > this - of course, this is on my local machine, with a local certificate. > > This is what I did. I created a page - pagename0.asp that I put into my > url bar as https://localhost/pagename0.asp . That page comes up and > loops through the server variables - https is ON. There is a link to > pagename1.asp. Clicking on that (still in https), pagename1.asp > response.redirects to http://localhost/pagename3.asp. Pagename3.asp also > loops through the server variables, and it shows https is OFF. > I am not quite sure what the difference is from the Redirect point of view. Like me, you are also creating a standard version of the URI (http://localhost/page.asp) in the string serverswitchoff. Then you do a response.redirect to it. Or is it the fact that in your example you 2 redirects (??). In my case I do response.redirect http://path/somepage.asp but still end up on https://path/somepage.asp So its not the URI that is the problem but the redirect (from secure to http). BTW it always works the other way round (http => https). Maybe it is a restriction of our ISP (network solutions). BTW I can not test this behavior on localhost as I do not have a local certificate. I always have to upload. thanks Axel Show quoteHide quote > (ADPFAQs.com) Gazing into my crystal ball I observed Axel <n@pe.com> writing in
Show quoteHide quote news:#mAGb9bxJHA.1432@TK2MSFTNGP02.phx.gbl: Hate to be picky, but it's _Adrienne_ not Adrian. I'm female.> > > Adrienne Boswell schrieb: >> Gazing into my crystal ball I observed Axel <n@pe.com> writing in >> news:u88YUSpwJHA.5516@TK2MSFTNGP02.phx.gbl: >> >> Please do not top post - it confuses the order of the conversation. >> Top posting corrected. See below: >> >>> Adrienne Boswell wrote: >>>> Gazing into my crystal ball I observed Axel <n@pe.com> writing in >>>> news:uHRJEE$rJHA.1492@TK2MSFTNGP03.phx.gbl: >>>> >>>>> Hi >>>>> >>>>> I am trying to redirect from some (login) pages from https to http >>>>> by using >>Response.Redirect<< but it seems to always end up on >>>>> https >>>> pages >>>>> anyway. The only way I get the users back to http is by them >>>>> clicking >>>> on >>>>> my (explicit) links but I want to drop them back to http as soon >>>>> as >>>> they >>>>> are logged in. >>>>> >>>>> The other way around (http to https) works fine. What could cause >> such >>>> a >>>>> behavior? Maybe some global switch in global.asa? Or cookies set >>>>> by >>>> the >>>>> secure page? Its really weird. >>>>> >>>>> I am considering doing the redirect client side but I don't want >>>>> the whole page to load and then to the redirect as its slooow. >>>>> OTOH I am scared of cutting the page short server site in case the >>>>> client >>>> redirect >>>>> method fails (e.g. due to ignoring javascript or meta headers). Is >>>> there >>>>> a sure fire way to redirect to non-secure after successful login? >>>>> >>>>> thanks in advance >>>>> Axel >>>>> >>>> Here's what I do: >>>> >>>> serverswitchon = "https://" & >>>> request.servervariables("SERVER_NAME") serverswitchon = >>>> serverswitchon & left(request.servervariables >>>> ("PATH_INFO"),instrrev(request.servervariables("PATH_INFO"),"/")) >>>> serverswitchoff = "http://" & >>>> request.servervariables("SERVER_NAME") serverswitchoff = >>>> serverswitchoff & left(request.servervariables >>>> ("PATH_INFO"),instrrev(request.servervariables("PATH_INFO"),"/")) >>>> >>>> response.redirect serverswitchoff & "pagename.asp" 'to http >>>> response.redirect serverswitchon & "pagename.asp" 'to https >>>> >> >>> Hi - I am still struggling can not make a server side redirect >>> happen from https to http. >> >> Did you try my method (watch wrapping)? I have no problems here >> doing this - of course, this is on my local machine, with a local >> certificate. >> >> This is what I did. I created a page - pagename0.asp that I put into >> my url bar as https://localhost/pagename0.asp . That page comes up >> and loops through the server variables - https is ON. There is a >> link to pagename1.asp. Clicking on that (still in https), >> pagename1.asp response.redirects to http://localhost/pagename3.asp. >> Pagename3.asp also loops through the server variables, and it shows >> https is OFF. >> > > Hi Adrian, > Did you set it up EXACTLY like I said? This is something that I put in an > I am not quite sure what the difference is from the Redirect point of > view. Like me, you are also creating a standard version of the URI > (http://localhost/page.asp) in the string serverswitchoff. Then you do > a response.redirect to it. Or is it the fact that in your example you > 2 redirects (??). include and use as needed, eg: <li><a href="<%=serverswitchon%>login.asp">Login</a></li> <li><a href="<%=serverswitchoff%>logoff.asp">Log Off</a></li> > I doubt your ISP is Network Solutions. They are a registrar and hosting > In my case I do response.redirect http://path/somepage.asp > but still end up on https://path/somepage.asp > So its not the URI that is the problem but the redirect (from secure > to http). BTW it always works the other way round (http => https). > Maybe it is a restriction of our ISP (network solutions). provider, AFAIK, they are not an ISP. > You can have a local certificate. It's absolutely necessary for testing, > > BTW I can not test this behavior on localhost as I do not have a local > certificate. I always have to upload. just as in this case. See [http://andyjarrett.co.uk/andy/blog/index.cfm/2004/10/1/Localhost- SSL-testing-on-Win-XPIIS-5-for-free] for instructions on how to install a certificate for localhost. -- Adrienne Boswell at Home Arbpen Web Site Design Services http://www.cavalcade-of-coding.info Please respond to the group so others can share Adrienne Boswell wrote:
>>> oh sorry, oops. :-)>>> This is what I did. I created a page - pagename0.asp that I put into >>> my url bar as https://localhost/pagename0.asp . That page comes up >>> and loops through the server variables - https is ON. There is a >>> link to pagename1.asp. Clicking on that (still in https), >>> pagename1.asp response.redirects to http://localhost/pagename3.asp. >>> Pagename3.asp also loops through the server variables, and it shows >>> https is OFF. >>> >> Hi Adrian, > > Hate to be picky, but it's _Adrienne_ not Adrian. I'm female. > >> I am not quite sure what the difference is from the Redirect point of yes - but these are links, and they happen on the client. Of course the >> view. Like me, you are also creating a standard version of the URI >> (http://localhost/page.asp) in the string serverswitchoff. Then you do >> a response.redirect to it. Or is it the fact that in your example you >> 2 redirects (??). > > Did you set it up EXACTLY like I said? This is something that I put in an > include and use as needed, eg: > > <li><a href="<%=serverswitchon%>login.asp">Login</a></li> > <li><a href="<%=serverswitchoff%>logoff.asp">Log Off</a></li> client is free to follow any link be it http or https... What I am doing is a submit from a secure page, which posts to itself, then does some database processing, password check and set other client variables such as last cart etc. and then redirects to the relevant (http) shopping area (*). And that's what ends up in (https) of that URI anyway (although the redirect corrects to the http address. Of course I could put in an interim page "click here to continue" and then go to the normal protocol page but its not very elegant. (*)some special customers get to special portal areas via the same login. Also if a session is timed out I redirect back to what the customer did last after login. I was also considering a redirect on the client but a lot of browsers will react with security warnings... > Yeah you're right. they're our host for the web site. what a stupid >> In my case I do response.redirect http://path/somepage.asp >> but still end up on https://path/somepage.asp >> So its not the URI that is the problem but the redirect (from secure >> to http). BTW it always works the other way round (http => https). >> Maybe it is a restriction of our ISP (network solutions). > > I doubt your ISP is Network Solutions. They are a registrar and hosting > provider, AFAIK, they are not an ISP. mistake... my ISP is 3 ireland... > that's cool to know - thank you very much!>> >> BTW I can not test this behavior on localhost as I do not have a local >> certificate. I always have to upload. > > You can have a local certificate. It's absolutely necessary for testing, > just as in this case. > > See [http://andyjarrett.co.uk/andy/blog/index.cfm/2004/10/1/Localhost- > SSL-testing-on-Win-XPIIS-5-for-free] for instructions on how to install a > certificate for localhost. Has anybody else any idea about the redirect? I still believe its the hosts fault. Or could it be some option in global.asa? Axel >> You can have a local certificate. It's absolutely necessary for I have installed the IIS resource kit on my machine and issued a >> testing, just as in this case. >> See [http://andyjarrett.co.uk/andy/blog/index.cfm/2004/10/1/Localhost- >> SSL-testing-on-Win-XPIIS-5-for-free] for instructions on how to >> install a certificate for localhost. > that's cool to know - thank you very much! > certificate for myself for testing. ANd, lo and behold, the redirect from https to https works on my local machine. So its definitely the host's fault. Now I only need to find out why the hell... :( thanks for your help again! Axel Gazing into my crystal ball I observed Axel <n@pe.com> writing in news:
#aoUlKrxJHA.***@TK2MSFTNGP06.phx.gbl: > [http://andyjarrett.co.uk/andy/blog/index.cfm/2004/10/1/Localhost->>> You can have a local certificate. It's absolutely necessary for >>> testing, just as in this case. >>> See >>> SSL-testing-on-Win-XPIIS-5-for-free] for instructions on how to I'm so glad to be of help. Let us know how it work out, in case any of >>> install a certificate for localhost. >> that's cool to know - thank you very much! >> > > I have installed the IIS resource kit on my machine and issued a > certificate for myself for testing. ANd, lo and behold, the redirect > from https to https works on my local machine. So its definitely the > host's fault. Now I only need to find out why the hell... :( > > thanks for your help again! > us have a similar problem. -- Adrienne Boswell at Home Arbpen Web Site Design Services http://www.cavalcade-of-coding.info Please respond to the group so others can share  
Other interesting topics
How to redirect after ALERT.
infinite hierarchy webpages ignore style Sorting like Amazon DVD system History.go with asp. Behavior of ADODB.Command .Execute changes on different servers??? Re: Looking up ISP domains from IP addresses Is ASP programming still supported in latest visual studio? ASP.Net 2.0 Excel app requires MS Office on webserver Membership ApplicationName |
|||||||||||||||||||||||
