I blogged here about securing logon cookies in MVC3. After writing a custom attribute based on the [RequireHttps] attribute it turned out that the best way was to use the forms authentication properties in web.config instead.
But the custom attribute that I wrote ended up morphing into something that solves a different problem. When you use the [RequireHttps] attribute, you might notice that even when a user logs out they continue with an https connection on subsequent requests to your site. This is not a big problem, but I find it annoying since https is not needed anymore. A similar thing might happen if a user has accidentally bookmarked the https version of your site's homepage, in which case the encryption might be unnecessary.
So I changed my existing attribute class into the [LimitHttps] Attribute. It checks to see if you are using a secure connection AND are not authenticated, then switches you back to plain old http - unless you are visiting a route that requires https. This is how I'm using it:
1) add the [RequireHttps] attribute to Account\LogOn and Account\Register
2) set up forms authentication with requireSSL="true" in web.config
3) add this line to RegisterGlobalFilters() in Global.asax:
You'll now find that the following things happen:
- https will be enforced when a user is logged in
(this is due to the requireSSL property in web.config)
- if a user manually goes back to http, the login cookie will not be sent in the request
(also due to the requireSSL property)
- The LogOn and Register views in the Account controller will always use SSL (https)
(because we've added the [RequireHttps] attribute to them)
- when a user logs out, they will automatically revert back to http
(which is done by the [LimitHttps] attribute we've added)
- if a user visits the homepage with https they will switch back to http
(the [LimitHttps] attribute does this too)
The code can be downloaded by clicking below.
Since I've been messing about with MVC3 and https recently, I found this blog quite useful:
Getting SelfSSL7 from there makes it pretty simple to get https working on your development PC. Worth remembering...
I was using this code here when doing some testing, but essentially the code looks like this:
public static class CacheExtensions
public static T GetOrStore<T>(this Cache cache, string key, Func<T> generator)
var result = cache[key];
if (result == null)
result = generator();
cache[key] = result;
...but I realised that it wasn’t actually doing much in the way of processing, and I wondered if it could be written more compactly. So this is what I came up with:
public static class CacheExtensions
public static T GetOrStore<T>(this Cache cache, string key, Func<T> generator) where T: class
return (cache[key] ?? (cache[key] = generator())) as T;
As an old C programmer, I still like it when things can be done in a single line of code.
It was a rainy Sunday afternoon, so I decided to have a tidy up in my office/workshop/third bedroom. What actually happened was that I saw the grotty looking dusty case for my PDP-11 and decided to clean it (it was in pretty bad shape since I bought it). Having cleaned it I then decided to put the machine inside the actual case. So now the office looks just the same, except the PDP-11 looks much better. Some progress I suppose. Here are some photos of the end result:
Isn't she beautiful? During this process I have learned:
- the machine is much heavier than I remember
- I really need to find a front cover to finish it off
- the word "PDP-11" in english is apparently feminine
Now it's in one piece, I have even fired the machine up and can report that it still runs fine. Phew! I didn't break it.