Home IIS/ASP.NET - Infinite redirects in deployed code

IIS/ASP.NET - Infinite redirects in deployed code

Steve Danner
1#
Steve Danner Published in 2017-12-06 20:56:45Z
 I am getting an infinite redirect loop only when I deploy my code to a Production environment. I am attempting to force SSL on the page by using a simple code redirect. I am running into the issue with a stripped-down old school web form (I'm stuck on .NET 3.5 for this project). All code is below. Any ideas on why I would get an infinite redirect look in Production and not Test? Notes on test vs production: Test is IIS 10 on Windows 10. Production is IIS 6 on Windows Server 2003 R2. Test uses a self-signed SSL cert. Production uses a fully trusted SSL cert. Identical web.configs ASPX Markup: <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="SecurePage.aspx.cs" Inherits="wwwroot.SecurePage" %>
 CODE-BEHIND: namespace wwwroot { public partial class SecurePage : System.Web.UI.Page { protected void Page_Load(object sender, EventArgs e) { if (!Request.Url.ToString().ToLower().StartsWith("https://")) Response.Redirect(Request.Url.ToString().ToLower().Replace("http://", "https://")); } } } 
 If you have a load balancer (e.g. IIS ARR), I would suspect that your application may be receiving http from it. Your code is similar to a check Request.IsSecureConnection which will always be false in such a case, thereby causing the infinite loop. Essentially client -> load balancer is https, then from load balancer -> web farm it's http ...there IS INDEED a load balancer in the equation. I had tried Request.IsSecureConnection at first and got the infinite redirect...I can hit static resources with the https scheme without issue, CSS files, JS files, Images, etc. Your load balancer will typically (hopefully) have a header that indicates such. You should handle it at the IIS level with a rewrite rule - before it hits the ASP.net pipeline (which is why/how static resources are "unaffected"). You'll have to remove code that checks for it too (don't check and redirect at the ASP.Net level). Here's a sample I use for a specific provider (obviously you'll have to check with your provider):   Hth...