HOW TO: Use ASP to Force SSL for Specific Pages (239875)


The information in this article applies to:

  • Microsoft Internet Information Services version 6.0
  • Microsoft Internet Information Server 4.0
  • Microsoft Internet Information Services 5.0
This article was previously published under Q239875
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx

IN THIS TASK

SUMMARY

It is frequently good security practice to require Secure Sockets Layer (SSL) for certain pages on a Web site. Although this can be configured through the Internet Services Manager (ISM) in the Microsoft Management Console (MMC), you can also use Active Server Pages (ASP) to force SSL for specific pages without making changes in the MMC.

back to the top

Prerequisites

This article assumes the following conditions:
  • IIS is running on standard ports:
    • HTTP = Port 80
    • HTTPS = Port 443
  • IIS has a valid SSL certificate installed.
  • The Web site or virtual server that is used does not use HTTP/1.1 host headers for name resolution.
back to the top

Forcing SSL using ASP

To force SSL using ASP, follow these steps:
  1. Click Start, click Run, type Notepad, and then click OK.
  2. Paste the following code into a blank Notepad document. On the File menu, click Save As, and then save the following code in the root of your Web server as an include file named ForceSSL.inc:
    <%
   If Request.ServerVariables("SERVER_PORT")=80 Then
      Dim strSecureURL
      strSecureURL = "https://"
      strSecureURL = strSecureURL & Request.ServerVariables("SERVER_NAME")
      strSecureURL = strSecureURL & Request.ServerVariables("URL")
      Response.Redirect strSecureURL
   End If
%>
  3. For each page that requires SSL, paste the following code at the top of the page to reference the include file from the previous step:
    <%@Language="VBSCRIPT"%>
<!--#include virtual="/ForceSSL.inc"-->
    When each page is browsed, the ASP code that is contained in the include file detects the port to determine if HTTP is used. If HTTP is used, the browser will be redirected to the same page by using HTTPS.
back to the top

REFERENCES

187504 HTTP 1.1 Host Headers Are Not Supported When You Use SSL

218445 How to Configure Certificate Server for Use with SSL on IIS

228991 How to Create and Install an SSL Certificate in Internet Information Server 4.0

228836 Installing a New Certificate with Certificate Wizard for Use in SSL/TLS

257591 Description of the Secure Sockets Layer (SSL) Handshake

back to the top
Modification Type:MinorLast Reviewed:6/27/2006
Keywords:kbhowto kbHOWTOmaster KB239875
©2004 Microsoft Corporation. All rights reserved.