Performance Zone is brought to you in partnership with:

Brian Hitney is a Developer Evangelist with Microsoft Corporation focused on cloud computing. He frequently delivers presentations and works with local community groups and customers on emerging technologies, .NET, and developer tools. Prior to his Developer Evangelist role, Brian worked as a software engineer on a Windows team in Redmond, and before he joined Microsoft he helped build large scale e-commerce applications for various companies across the United States. Brian is based out of Greensboro, NC. Brian is a DZone MVB and is not an employee of DZone and has posted 18 posts at DZone. You can read more from them at their website. View Full User Profile

Skipping SSL Connections Locally

02.22.2013
| 1250 views |
  • submit to reddit
When developing locally, often times you don’t want to use SSL for a variety of reasons.  There’s no real point, since the request isn’t going over the wire.  Most of the time, connections are done via the loopback 127.0.0.1 address (although localhost can be used) which throws certificate errors. 

This one problem is often easy to solve, but it relates to a bigger issue: dictating when (and when not) to use SSL on your site.  In the ol’ days, you wouldn’t want an entire site to be SSL for performance reasons.  Ideally, you want to gracefully redirect users to/from SSL based on the requirements of the page.  If a user navigates to a secure section like their account page, you’d like to use SSL.  If they navigate away to a page not needing SSL, you’d want to use http and not https. 

There are a LOT of ways to do this, such as using MVC filters for MVC based applications.  One way I’ve solved this before was simply calling a method like so with each request:

WinRT RoamingSettings and Serialization | Microsoft DevRadio: (Part 2) Using Windows Azure to Build Back-End Services for Windows 8 Apps
Skipping SSL Connections Locally
0Comments

When developing locally, often times you don’t want to use SSL for a variety of reasons.  There’s no real point, since the request isn’t going over the wire.  Most of the time, connections are done via the loopback 127.0.0.1 address (although localhost can be used) which throws certificate errors. 

This one problem is often easy to solve, but it relates to a bigger issue: dictating when (and when not) to use SSL on your site.  In the ol’ days, you wouldn’t want an entire site to be SSL for performance reasons.  Ideally, you want to gracefully redirect users to/from SSL based on the requirements of the page.  If a user navigates to a secure section like their account page, you’d like to use SSL.  If they navigate away to a page not needing SSL, you’d want to use http and not https. 

There are a LOT of ways to do this, such as using MVC filters for MVC based applications.  One way I’ve solved this before was simply calling a method like so with each request:

private void SetupSslIfNeeded()
{           
    //bail out on local connections – never need ssl
    if (Request.IsLocal)
    {
        return;
    }

    bool requiresSsl = false;
    string curPath = Request.Path;

    if (curPath.StartsWith("/account", StringComparison.OrdinalIgnoreCase) ||
        curPath.StartsWith("/user", StringComparison.OrdinalIgnoreCase) ||
        curPath.StartsWith("/admin", StringComparison.OrdinalIgnoreCase))
    {
        requiresSsl = true;
    }

    //redirect to secure page
    if (requiresSsl && !Page.Request.IsSecureConnection)
    {
        string currentUrl = HttpContext.Current.Request.Url.ToString();
        string newUrl = currentUrl.Replace("http://", "https://");
        Response.Redirect(newUrl);
    }

    //redirect to non-secure page
    if (!requiresSsl && Page.Request.IsSecureConnection)
    {
        string currentUrl = HttpContext.Current.Request.Url.ToString();
        string newUrl = currentUrl.Replace("https://", "http://");

        Response.Redirect(newUrl);
    }
}

It’s a little more verbose than it needs to be, but it’s done to because there were a few port handling lines I left out for simplicity. 

What this will do is avoid using SSL for local connections, and any page on the site except for those in the account, user, or admin folders.  The main downside of this approach is that it requires a redirect, which is a round trip to the server.  Ideally, you’d want your links to always be smart enough to know if they should go http:// or https://, but realistically, context switching between SSL and non-SSL pages is pretty rare so the client needing to endure the few extra milliseconds is an acceptable situation.  This is the way we currently handle SSL on http://www.rockpaperazure.com



Published at DZone with permission of Brian Hitney, author and DZone MVB. (source)

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)