Operation SSL Mode

Ken Lovely, MCSE, MCDBA — Fri, 24 Jul 2009 07:37:35 GMT

I had to make our site work in SSL mode and ONLY SSL mode. I also had to allow url's that pointed to our site before I forced it work in secure mode. I also had to allow for all the other domain names that we own work in SSL mode.

I thought I would share how to get this done right so no matter what it works.

Create an HTML page named 403-4.htm. Put it in a folder outside your web site’s root folder. Give the page your company’s logo and some nice looking text that states;

The page must be viewed over a secure channel

The page you are trying to access is secured with Secure Sockets Layer (SSL).

If you are not automatically redirected to our secure site, please click on this link; <add your link>

Now you are done with the basics; let’s do some scripting

function goSSL()

{

var myDomain = window.location.hostname;

// Add your domain name here

// This variable is used to ensure the domain with the

// SSL cert is always called

if (myDomain != "www.mydomain.com") {

myDomain = "www.domain.com"

}

// This variable is used to extract the url the user

// entered the site with

var unsecure = myDomain + window.location.pathname;

var secure = "";

// This was my original comparison

// it just always forced the user has the www.

// I left it but you could change the secure var

// above to have the https:// portion since

// the myDomain var is set...

if(unsecure.substring(0,3) != "www") {

secure = "https://www." + unsecure;

}

else {

secure = "https://" + unsecure;

}

// Just incase the user had a query string

query = '' + window.location;

position = query.indexOf('?');

if (position > -1)

{

query = query.substring(position + 1);

secure = secure + "?" + query;

}

// open the window to the newly set url

window.location = secure;

}

</script>

Setting up IIS:

Open IIS and go to the properties of your web site

Click on the security tab

Click on Edit under Secure Communications

I am assuming you already have an ssl cert on the site!

Check the require secure channel box

Check the require 128 bit encryption box

Click OK

Click on the Custom Error's tab

Click on the 403;4 error

Click on Edit and point to the file you made above

Click OK

Using this technique every domain you have pointed to this web site will be forced to use your secure SSL domain. The user will be presented with a quick flash of a page telling them that the site is secure for their safety.

The next secure web page you go to try changing the page back to http – this technique will put the page right back to the page the user was at and securely.

A Developer's Expedition

Operation SSL Mode