BE 3.1 & https for Login

Topics: ASP.NET 2.0
Oct 13, 2014 at 5:16 PM
Edited Oct 13, 2014 at 5:17 PM
Hi I am using BE 3.1 and I want access on all account (and admin) pages to be secure. I am using VS 2012 and iis express. I have the "SSL Enabled" property set to true (port 44301) and I am using "SecuritySwitch" (http://code.google.com/p/securityswitch/) to manage redirection to and from HTTP/HTTPS. All works fine. My problem is I have security warnings in all browsers even though I have all resources pointing to "HTTPS". So looking at the HTML in firebug I see this for jquery and bootstrap links in the head section of the Login.aspx page:
<link rel="stylesheet" href="https://localhost:44301/Content/bootstrap.min.css">
<html><head><title></title><script language="javascript">window.location = 'http://localhost:64079/Content/bootstrap.min.css';</script></head><body></body></html>
</link>
<script src="https://localhost:44301/Scripts/jquery-2.1.1.min.js">
<html><head><title></title><script language="javascript">window.location = 'http://localhost:64079/Scripts/jquery-2.1.1.min.js';</script></head><body></body></html>
</script>
As you can see, although I am using HTTPS in href/src, JavaScript's window.location is pointing to HTTP. Now my question; Where is that JavaScript being injected? Also, if there is any best practices that you can share for using HTTPS with account and admin I would greatly appreciate it. Thanks! Lol and you need more "Topics" for us to choose from when posting on codeplex :)
Oct 14, 2014 at 12:34 AM
Does the BE team still post to this board? If not, could someone tell me the best place to post questions? Thanks.
Coordinator
Oct 14, 2014 at 2:12 AM
Did you look at /account/account.master? This is master page used by all account pages.
Oct 14, 2014 at 6:04 AM
rtur wrote:
Did you look at /account/account.master? This is master page used by all account pages.
Yes I did. The account.master code has only (2) methods plus the Page_Load event. On Load the resources list is being populated and then the method "AddLocalizedStringsToJavaScript" is called passing the resources list. The other method is SetStatus.
Coordinator
Oct 14, 2014 at 2:48 PM
The methods are in code behind (acoount.master.cs). I'm talking about template (account.master).
Oct 14, 2014 at 4:04 PM
Edited Oct 14, 2014 at 4:10 PM
rtur wrote:
The methods are in code behind (acoount.master.cs). I'm talking about template (account.master).
Yes. I am in the process of customizing it, The link/script tags for bootstrap css and jquery.js in head section of the account.Master file look like:
<link href="../Content/bootstrap.min.css" rel="stylesheet" />
<script src="../Scripts/jquery-2.1.1.min.js"></script>
I even changed it to use:
<link href="<%= Utils.AbsoluteWebRoot + "Content/bootstrap.min.css" %>" rel="stylesheet" />
<script src="<%= Utils.AbsoluteWebRoot + "Scripts/jquery-2.1.1.min.js" %>" type="text/javascript"></script>
Which is unnecessary as the relative uri's resolve to https after the securityswitch redirect. My question is where does this come from between the open/close link tags when rendered:
<html><head><title></title><script language="javascript">window.location = 'http://localhost:64079/Content/bootstrap.min.css';</script></head><body></body></html>
And between the open/close script tags:
<html><head><title></title><script language="javascript">window.location = 'http://localhost:64079/Scripts/jquery-2.1.1.min.js';</script></head><body></body></html>
I believe this is the problem because even though I am pointing to those files using https protocol, javascript is loading them via http with window.location.

This is only present for the bootstrap.css link and jquery.js script tags. The account.js for example has the actual script between the open/close tags.