Home IIS/ASP.NET - Infinite redirects in deployed code
Reply: 1

IIS/ASP.NET - Infinite redirects in deployed code

Steve Danner
Steve Danner Published in 2017-12-06 20:56:45Z

I am getting an infinite redirect loop only when I deploy my code to a Production environment. I am attempting to force SSL on the page by using a simple code redirect. I am running into the issue with a stripped-down old school web form (I'm stuck on .NET 3.5 for this project). All code is below. Any ideas on why I would get an infinite redirect look in Production and not Test?
Notes on test vs production:

  • Test is IIS 10 on Windows 10.
  • Production is IIS 6 on Windows Server 2003 R2.
  • Test uses a self-signed SSL cert.
  • Production uses a fully trusted SSL cert.
  • Identical web.configs

ASPX Markup:

<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="SecurePage.aspx.cs" Inherits="wwwroot.SecurePage" %>

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
    <form id="form1" runat="server">
            This page is secure!


namespace wwwroot
    public partial class SecurePage : System.Web.UI.Page

        protected void Page_Load(object sender, EventArgs e)
            if (!Request.Url.ToString().ToLower().StartsWith("https://"))
                Response.Redirect(Request.Url.ToString().ToLower().Replace("http://", "https://"));
EdSF Reply to 2017-12-06 21:44:56Z

If you have a load balancer (e.g. IIS ARR), I would suspect that your application may be receiving http from it. Your code is similar to a check Request.IsSecureConnection which will always be false in such a case, thereby causing the infinite loop. Essentially client -> load balancer is https, then from load balancer -> web farm it's http

...there IS INDEED a load balancer in the equation. I had tried Request.IsSecureConnection at first and got the infinite redirect...I can hit static resources with the https scheme without issue, CSS files, JS files, Images, etc.

Your load balancer will typically (hopefully) have a header that indicates such. You should handle it at the IIS level with a rewrite rule - before it hits the ASP.net pipeline (which is why/how static resources are "unaffected"). You'll have to remove code that checks for it too (don't check and redirect at the ASP.Net level).

Here's a sample I use for a specific provider (obviously you'll have to check with your provider):

<rule name="Redirect to HTTPS" stopProcessing="true">
    <match url=".*" />

      <add input="{HTTP_CLUSTER_HTTPS}" pattern="^on$" negate="true" />
      <add input="{HTTP_CLUSTER_HTTPS}" pattern=".+" negate="true" />

    <action type="Redirect" url="https://{HTTP_HOST}{SCRIPT_NAME}/{REQUEST_URI}" redirectType="SeeOther" />


You need to login account before you can post.

About| Privacy statement| Terms of Service| Advertising| Contact us| Help| Sitemap|
Processed in 0.33186 second(s) , Gzip On .

© 2016 Powered by mzan.com design MATCHINFO