«

Hi

I am trying to redirect from some (login) pages from https to http by
using >>Response.Redirect<< but it seems to always end up on https pages
anyway. The only way I get the users back to http is by them clicking on
my (explicit) links but I want to drop them back to http as soon as they
are logged in.

The other way around (http to https) works fine. What could cause such a
behavior? Maybe some global switch in global.asa? Or cookies set by the
secure page? Its really weird.

I am considering doing the redirect client side but I don't want the
whole page to load and then to the redirect as its slooow. OTOH I am
scared of cutting the page short server site in case the client redirect
method fails (e.g. due to ignoring javascript or meta headers). Is there
a sure fire way to redirect to non-secure after successful login?

thanks in advance
Axel

Gazing into my crystal ball I observed Axel <> writing in
news:uHRJEE$:

> Hi
>
> I am trying to redirect from some (login) pages from https to http by
> using >>Response.Redirect<< but it seems to always end up on https
pages
> anyway. The only way I get the users back to http is by them clicking
on
> my (explicit) links but I want to drop them back to http as soon as
they
> are logged in.
>
> The other way around (http to https) works fine. What could cause such
a
> behavior? Maybe some global switch in global.asa? Or cookies set by
the
> secure page? Its really weird.
>
> I am considering doing the redirect client side but I don't want the
> whole page to load and then to the redirect as its slooow. OTOH I am
> scared of cutting the page short server site in case the client
redirect
> method fails (e.g. due to ignoring javascript or meta headers). Is
there
> a sure fire way to redirect to non-secure after successful login?
>
> thanks in advance
> Axel
>

Here's what I do:

serverswitchon = "https://" & request.servervariables("SERVER_NAME")
serverswitchon = serverswitchon & left(request.servervariables
("PATH_INFO"),instrrev(request.servervariables("PA TH_INFO"),"/"))
serverswitchoff = "http://" & request.servervariables("SERVER_NAME")
serverswitchoff = serverswitchoff & left(request.servervariables
("PATH_INFO"),instrrev(request.servervariables("PA TH_INFO"),"/"))

response.redirect serverswitchoff & "pagename.asp" 'to http
response.redirect serverswitchon & "pagename.asp" 'to https

--
Adrienne Boswell at Home
Arbpen Web Site Design Services
http://www.cavalcade-of-coding.info
Please respond to the group so others can share

Hi - I am still struggling can not make a server side redirect happen
from https to http.

its not the generation of the URL that is the problem; it just simply
seems to ignore the fact that I am redirecting from secure to a plain
http page (the other way round always work). The user can click on http
links and follow but redirects or AddHeader always stays within https.

After reading
http://www.4guysfromrolla.com/aspfaq...Q.asp?FAQID=72 (ADPFAQs.com)
and
http://www.somacon.com/p145.php (Permanent Redirect with HTTP 301)

Here is my final code (using AddHeader instead of Redirect) - I also
made sure not have ANY output before I call the page. However, some
session variables are written (these are needed to identify the user
once he is logged on) - Buffering is turned on as per standard.

Function redirectNoSSL(sUrl)
Dim sNewURL
sNewURL = stripSSL(sUrl)
If Response.Buffer=True then
Response.Clear
Response.Buffer=False
End If

'Call Response.Redirect(sNewURL)
' instead of redirect!

Response.Status = "301 Moved Permanently"
Call Response.AddHeader ("Location", sNewURL)
End Function

(stripSSL works fine, and is supposed to with relative URLs; it just
recreates the current URL with http: instead of https, and appends the
(relative) target URL, see code below)

any other suggestions.

Axel

' example: Redirect stripSSL("../../images/head.gif")
Function stripSSL(sTarget)
Dim host, sUrl, i
stripSSL=""
if sTarget="" Then Exit Function

sUrl=Request.ServerVariables("URL")
host=Request.ServerVariables("server_name")

i=InStrRev(sUrl, "/")
stripSSL= "http://" & host & Left(sUrl,i) & sTarget
End Function


Adrienne Boswell wrote:
> Gazing into my crystal ball I observed Axel <> writing in
> news:uHRJEE$:
>
>> Hi
>>
>> I am trying to redirect from some (login) pages from https to http by
>> using >>Response.Redirect<< but it seems to always end up on https
> pages
>> anyway. The only way I get the users back to http is by them clicking
> on
>> my (explicit) links but I want to drop them back to http as soon as
> they
>> are logged in.
>>
>> The other way around (http to https) works fine. What could cause such
> a
>> behavior? Maybe some global switch in global.asa? Or cookies set by
> the
>> secure page? Its really weird.
>>
>> I am considering doing the redirect client side but I don't want the
>> whole page to load and then to the redirect as its slooow. OTOH I am
>> scared of cutting the page short server site in case the client
> redirect
>> method fails (e.g. due to ignoring javascript or meta headers). Is
> there
>> a sure fire way to redirect to non-secure after successful login?
>>
>> thanks in advance
>> Axel
>>
>
> Here's what I do:
>
> serverswitchon = "https://" & request.servervariables("SERVER_NAME")
> serverswitchon = serverswitchon & left(request.servervariables
> ("PATH_INFO"),instrrev(request.servervariables("PA TH_INFO"),"/"))
> serverswitchoff = "http://" & request.servervariables("SERVER_NAME")
> serverswitchoff = serverswitchoff & left(request.servervariables
> ("PATH_INFO"),instrrev(request.servervariables("PA TH_INFO"),"/"))
>
> response.redirect serverswitchoff & "pagename.asp" 'to http
> response.redirect serverswitchon & "pagename.asp" 'to https
>

Gazing into my crystal ball I observed Axel <> writing in
news::

Please do not top post - it confuses the order of the conversation.
Top posting corrected. See below:

> Adrienne Boswell wrote:
>> Gazing into my crystal ball I observed Axel <> writing in
>> news:uHRJEE$:
>>
>>> Hi
>>>
>>> I am trying to redirect from some (login) pages from https to http by
>>> using >>Response.Redirect<< but it seems to always end up on https
>> pages
>>> anyway. The only way I get the users back to http is by them clicking
>> on
>>> my (explicit) links but I want to drop them back to http as soon as
>> they
>>> are logged in.
>>>
>>> The other way around (http to https) works fine. What could cause
such
>> a
>>> behavior? Maybe some global switch in global.asa? Or cookies set by
>> the
>>> secure page? Its really weird.
>>>
>>> I am considering doing the redirect client side but I don't want the
>>> whole page to load and then to the redirect as its slooow. OTOH I am
>>> scared of cutting the page short server site in case the client
>> redirect
>>> method fails (e.g. due to ignoring javascript or meta headers). Is
>> there
>>> a sure fire way to redirect to non-secure after successful login?
>>>
>>> thanks in advance
>>> Axel
>>>
>>
>> Here's what I do:
>>
>> serverswitchon = "https://" & request.servervariables("SERVER_NAME")
>> serverswitchon = serverswitchon & left(request.servervariables
>> ("PATH_INFO"),instrrev(request.servervariables("PA TH_INFO"),"/"))
>> serverswitchoff = "http://" & request.servervariables("SERVER_NAME")
>> serverswitchoff = serverswitchoff & left(request.servervariables
>> ("PATH_INFO"),instrrev(request.servervariables("PA TH_INFO"),"/"))
>>
>> response.redirect serverswitchoff & "pagename.asp" 'to http
>> response.redirect serverswitchon & "pagename.asp" 'to https
>>

> Hi - I am still struggling can not make a server side redirect happen
> from https to http.

Did you try my method (watch wrapping)? I have no problems here doing
this - of course, this is on my local machine, with a local certificate.

This is what I did. I created a page - pagename0.asp that I put into my
url bar as https://localhost/pagename0.asp . That page comes up and
loops through the server variables - https is ON. There is a link to
pagename1.asp. Clicking on that (still in https), pagename1.asp
response.redirects to http://localhost/pagename3.asp. Pagename3.asp also
loops through the server variables, and it shows https is OFF.

>
> its not the generation of the URL that is the problem; it just simply
> seems to ignore the fact that I am redirecting from secure to a plain
> http page (the other way round always work). The user can click on http
> links and follow but redirects or AddHeader always stays within https.
>
> After reading
> http://www.4guysfromrolla.com/aspfaq...Q.asp?FAQID=72
(ADPFAQs.com)
> and
> http://www.somacon.com/p145.php (Permanent Redirect with HTTP 301)
>
> Here is my final code (using AddHeader instead of Redirect) - I also
> made sure not have ANY output before I call the page. However, some
> session variables are written (these are needed to identify the user
> once he is logged on) - Buffering is turned on as per standard.
>
> Function redirectNoSSL(sUrl)
> Dim sNewURL
> sNewURL = stripSSL(sUrl)
> If Response.Buffer=True then
> Response.Clear
> Response.Buffer=False
> End If
>
> 'Call Response.Redirect(sNewURL)
> ' instead of redirect!
>
> Response.Status = "301 Moved Permanently"
> Call Response.AddHeader ("Location", sNewURL)
> End Function
>
> (stripSSL works fine, and is supposed to with relative URLs; it just
> recreates the current URL with http: instead of https, and appends the
> (relative) target URL, see code below)
>
> any other suggestions.
>
> Axel
>
> ' example: Redirect stripSSL("../../images/head.gif")
> Function stripSSL(sTarget)
> Dim host, sUrl, i
> stripSSL=""
> if sTarget="" Then Exit Function
>
> sUrl=Request.ServerVariables("URL")
> host=Request.ServerVariables("server_name")
>
> i=InStrRev(sUrl, "/")
> stripSSL= "http://" & host & Left(sUrl,i) & sTarget
> End Function
>
>


--
Adrienne Boswell at Home
Arbpen Web Site Design Services
http://www.cavalcade-of-coding.info
Please respond to the group so others can share

Adrienne Boswell schrieb:
> Gazing into my crystal ball I observed Axel <> writing in
> news::
>
> Please do not top post - it confuses the order of the conversation.
> Top posting corrected. See below:
>
>> Adrienne Boswell wrote:
>>> Gazing into my crystal ball I observed Axel <> writing in
>>> news:uHRJEE$:
>>>
>>>> Hi
>>>>
>>>> I am trying to redirect from some (login) pages from https to http by
>>>> using >>Response.Redirect<< but it seems to always end up on https
>>> pages
>>>> anyway. The only way I get the users back to http is by them clicking
>>> on
>>>> my (explicit) links but I want to drop them back to http as soon as
>>> they
>>>> are logged in.
>>>>
>>>> The other way around (http to https) works fine. What could cause
> such
>>> a
>>>> behavior? Maybe some global switch in global.asa? Or cookies set by
>>> the
>>>> secure page? Its really weird.
>>>>
>>>> I am considering doing the redirect client side but I don't want the
>>>> whole page to load and then to the redirect as its slooow. OTOH I am
>>>> scared of cutting the page short server site in case the client
>>> redirect
>>>> method fails (e.g. due to ignoring javascript or meta headers). Is
>>> there
>>>> a sure fire way to redirect to non-secure after successful login?
>>>>
>>>> thanks in advance
>>>> Axel
>>>>
>>> Here's what I do:
>>>
>>> serverswitchon = "https://" & request.servervariables("SERVER_NAME")
>>> serverswitchon = serverswitchon & left(request.servervariables
>>> ("PATH_INFO"),instrrev(request.servervariables("PA TH_INFO"),"/"))
>>> serverswitchoff = "http://" & request.servervariables("SERVER_NAME")
>>> serverswitchoff = serverswitchoff & left(request.servervariables
>>> ("PATH_INFO"),instrrev(request.servervariables("PA TH_INFO"),"/"))
>>>
>>> response.redirect serverswitchoff & "pagename.asp" 'to http
>>> response.redirect serverswitchon & "pagename.asp" 'to https
>>>
>
>> Hi - I am still struggling can not make a server side redirect happen
>> from https to http.
>
> Did you try my method (watch wrapping)? I have no problems here doing
> this - of course, this is on my local machine, with a local certificate.
>
> This is what I did. I created a page - pagename0.asp that I put into my
> url bar as https://localhost/pagename0.asp . That page comes up and
> loops through the server variables - https is ON. There is a link to
> pagename1.asp. Clicking on that (still in https), pagename1.asp
> response.redirects to http://localhost/pagename3.asp. Pagename3.asp also
> loops through the server variables, and it shows https is OFF.
>

Hi Adrian,

I am not quite sure what the difference is from the Redirect point of
view. Like me, you are also creating a standard version of the URI
(http://localhost/page.asp) in the string serverswitchoff. Then you do a
response.redirect to it. Or is it the fact that in your example you 2
redirects (??).

In my case I do response.redirect http://path/somepage.asp
but still end up on https://path/somepage.asp
So its not the URI that is the problem but the redirect (from secure to
http). BTW it always works the other way round (http => https). Maybe it
is a restriction of our ISP (network solutions).


BTW I can not test this behavior on localhost as I do not have a local
certificate. I always have to upload.

thanks
Axel


> (ADPFAQs.com)

Gazing into my crystal ball I observed Axel <> writing in
news:#:

>
>
> Adrienne Boswell schrieb:
>> Gazing into my crystal ball I observed Axel <> writing in
>> news::
>>
>> Please do not top post - it confuses the order of the conversation.
>> Top posting corrected. See below:
>>
>>> Adrienne Boswell wrote:
>>>> Gazing into my crystal ball I observed Axel <> writing in
>>>> news:uHRJEE$:
>>>>
>>>>> Hi
>>>>>
>>>>> I am trying to redirect from some (login) pages from https to http
>>>>> by using >>Response.Redirect<< but it seems to always end up on
>>>>> https
>>>> pages
>>>>> anyway. The only way I get the users back to http is by them
>>>>> clicking
>>>> on
>>>>> my (explicit) links but I want to drop them back to http as soon
>>>>> as
>>>> they
>>>>> are logged in.
>>>>>
>>>>> The other way around (http to https) works fine. What could cause
>> such
>>>> a
>>>>> behavior? Maybe some global switch in global.asa? Or cookies set
>>>>> by
>>>> the
>>>>> secure page? Its really weird.
>>>>>
>>>>> I am considering doing the redirect client side but I don't want
>>>>> the whole page to load and then to the redirect as its slooow.
>>>>> OTOH I am scared of cutting the page short server site in case the
>>>>> client
>>>> redirect
>>>>> method fails (e.g. due to ignoring javascript or meta headers). Is
>>>> there
>>>>> a sure fire way to redirect to non-secure after successful login?
>>>>>
>>>>> thanks in advance
>>>>> Axel
>>>>>
>>>> Here's what I do:
>>>>
>>>> serverswitchon = "https://" &
>>>> request.servervariables("SERVER_NAME") serverswitchon =
>>>> serverswitchon & left(request.servervariables
>>>> ("PATH_INFO"),instrrev(request.servervariables("PA TH_INFO"),"/"))
>>>> serverswitchoff = "http://" &
>>>> request.servervariables("SERVER_NAME") serverswitchoff =
>>>> serverswitchoff & left(request.servervariables
>>>> ("PATH_INFO"),instrrev(request.servervariables("PA TH_INFO"),"/"))
>>>>
>>>> response.redirect serverswitchoff & "pagename.asp" 'to http
>>>> response.redirect serverswitchon & "pagename.asp" 'to https
>>>>
>>
>>> Hi - I am still struggling can not make a server side redirect
>>> happen from https to http.
>>
>> Did you try my method (watch wrapping)? I have no problems here
>> doing this - of course, this is on my local machine, with a local
>> certificate.
>>
>> This is what I did. I created a page - pagename0.asp that I put into
>> my url bar as https://localhost/pagename0.asp . That page comes up
>> and loops through the server variables - https is ON. There is a
>> link to pagename1.asp. Clicking on that (still in https),
>> pagename1.asp response.redirects to http://localhost/pagename3.asp.
>> Pagename3.asp also loops through the server variables, and it shows
>> https is OFF.
>>
>
> Hi Adrian,

Hate to be picky, but it's _Adrienne_ not Adrian. I'm female.

>
> I am not quite sure what the difference is from the Redirect point of
> view. Like me, you are also creating a standard version of the URI
> (http://localhost/page.asp) in the string serverswitchoff. Then you do
> a response.redirect to it. Or is it the fact that in your example you
> 2 redirects (??).

Did you set it up EXACTLY like I said? This is something that I put in an
include and use as needed, eg:

<li><a href="<%=serverswitchon%>login.asp">Login</a></li>
<li><a href="<%=serverswitchoff%>logoff.asp">Log Off</a></li>

>
> In my case I do response.redirect http://path/somepage.asp
> but still end up on https://path/somepage.asp
> So its not the URI that is the problem but the redirect (from secure
> to http). BTW it always works the other way round (http => https).
> Maybe it is a restriction of our ISP (network solutions).

I doubt your ISP is Network Solutions. They are a registrar and hosting
provider, AFAIK, they are not an ISP.

>
>
> BTW I can not test this behavior on localhost as I do not have a local
> certificate. I always have to upload.

You can have a local certificate. It's absolutely necessary for testing,
just as in this case.

See [http://andyjarrett.co.uk/andy/blog/i...0/1/Localhost-
SSL-testing-on-Win-XPIIS-5-for-free] for instructions on how to install a
certificate for localhost.



--
Adrienne Boswell at Home
Arbpen Web Site Design Services
http://www.cavalcade-of-coding.info
Please respond to the group so others can share

Adrienne Boswell wrote:
>>>
>>> This is what I did. I created a page - pagename0.asp that I put into
>>> my url bar as https://localhost/pagename0.asp . That page comes up
>>> and loops through the server variables - https is ON. There is a
>>> link to pagename1.asp. Clicking on that (still in https),
>>> pagename1.asp response.redirects to http://localhost/pagename3.asp.
>>> Pagename3.asp also loops through the server variables, and it shows
>>> https is OFF.
>>>
>> Hi Adrian,
>
> Hate to be picky, but it's _Adrienne_ not Adrian. I'm female.
>
oh sorry, oops.

>> I am not quite sure what the difference is from the Redirect point of
>> view. Like me, you are also creating a standard version of the URI
>> (http://localhost/page.asp) in the string serverswitchoff. Then you do
>> a response.redirect to it. Or is it the fact that in your example you
>> 2 redirects (??).
>
> Did you set it up EXACTLY like I said? This is something that I put in an
> include and use as needed, eg:
>
> <li><a href="<%=serverswitchon%>login.asp">Login</a></li>
> <li><a href="<%=serverswitchoff%>logoff.asp">Log Off</a></li>

yes - but these are links, and they happen on the client. Of course the
client is free to follow any link be it http or https...

What I am doing is a submit from a secure page, which posts to itself,
then does some database processing, password check and set other client
variables such as last cart etc. and then redirects to the relevant
(http) shopping area (*). And that's what ends up in (https) of that URI
anyway (although the redirect corrects to the http address. Of course I
could put in an interim page "click here to continue" and then go to the
normal protocol page but its not very elegant.

(*)some special customers get to special portal areas via the same
login. Also if a session is timed out I redirect back to what the
customer did last after login.

I was also considering a redirect on the client but a lot of browsers
will react with security warnings...

>
>> In my case I do response.redirect http://path/somepage.asp
>> but still end up on https://path/somepage.asp
>> So its not the URI that is the problem but the redirect (from secure
>> to http). BTW it always works the other way round (http => https).
>> Maybe it is a restriction of our ISP (network solutions).
>
> I doubt your ISP is Network Solutions. They are a registrar and hosting
> provider, AFAIK, they are not an ISP.

Yeah you're right. they're our host for the web site. what a stupid
mistake... my ISP is 3 ireland...

>
>>
>> BTW I can not test this behavior on localhost as I do not have a local
>> certificate. I always have to upload.
>
> You can have a local certificate. It's absolutely necessary for testing,
> just as in this case.
>
> See [http://andyjarrett.co.uk/andy/blog/i...0/1/Localhost-
> SSL-testing-on-Win-XPIIS-5-for-free] for instructions on how to install a
> certificate for localhost.
that's cool to know - thank you very much!

Has anybody else any idea about the redirect? I still believe its the
hosts fault. Or could it be some option in global.asa?

Axel

>> You can have a local certificate. It's absolutely necessary for
>> testing, just as in this case.
>> See [http://andyjarrett.co.uk/andy/blog/i...0/1/Localhost-
>> SSL-testing-on-Win-XPIIS-5-for-free] for instructions on how to
>> install a certificate for localhost.
> that's cool to know - thank you very much!
>

I have installed the IIS resource kit on my machine and issued a
certificate for myself for testing. ANd, lo and behold, the redirect
from https to https works on my local machine. So its definitely the
host's fault. Now I only need to find out why the hell...

thanks for your help again!

Axel

Gazing into my crystal ball I observed Axel <> writing in news:
#:

>
>>> You can have a local certificate. It's absolutely necessary for
>>> testing, just as in this case.
>>> See
[http://andyjarrett.co.uk/andy/blog/i...0/1/Localhost-
>>> SSL-testing-on-Win-XPIIS-5-for-free] for instructions on how to
>>> install a certificate for localhost.
>> that's cool to know - thank you very much!
>>
>
> I have installed the IIS resource kit on my machine and issued a
> certificate for myself for testing. ANd, lo and behold, the redirect
> from https to https works on my local machine. So its definitely the
> host's fault. Now I only need to find out why the hell...
>
> thanks for your help again!
>

I'm so glad to be of help. Let us know how it work out, in case any of
us have a similar problem.

--
Adrienne Boswell at Home
Arbpen Web Site Design Services
http://www.cavalcade-of-coding.info
Please respond to the group so others can share