I have a site that I inherited that uses the built-in .NET identity stuff for logins (details about the packages are below). The main issue is that if you try to hit a direct link at https://site.com/controller/action/id that has the [authorize] attribute on it and you're not logged in (which is a super common use case), .net redirects the user to the login page, but drops the https.

I've tried to find some kind of "site root" URL setting or whatever but no luck.

I've tried about 4 variations of "force SSL to be required on every page", such as writing a RequreSecureConnectionFilter filter class that overrides OnAuthorization(AuthorizationContext filterContext), checking Context.Request.Headers["X-Forwarded-Proto"], doing a rewrite rule in the web.config, and so on. The problem here is that with every attempt to force https, the site then gets stuck in a "the site tried to redirect you too many times" problem.

It's a hosted site at a large organization, which means I don't have IIS access or even access to a CPanel. It's just a fileshare where I drop files. And it's not behind a load balancer or anything.

I've tried searching (which is where I got the suggestions to try the things above) but it's a tricky sort of thing to find relevant results for.

Has anyone experienced this? I'm wary of upgrading some of the Owin or Microsoft.Identity packages willy-nilly in hopes that one of them contains a fix for it, but I suppose I can clone another copy of it and try that as a last-ditch attempt.

Thank you.

there's also this in the system.webServer portion of the web config:

 <modules> <remove name="FormsAuthentication" /> </modules> 

• Antlr.3.5.0.2
• bootstrap.3.0.0
• DocumentFormat.OpenXml.2.5
• EntityFramework.6.1.3
• jQuery.1.9.0
• jQuery.Validation.1.14.0
• log4net.2.0.5
• Microsoft.AspNet.Identity.Core.2.2.1
• Microsoft.AspNet.Identity.EntityFramework.2.2.1
• Microsoft.AspNet.Identity.Owin.2.2.1
• Microsoft.AspNet.Mvc.5.2.3
• Microsoft.AspNet.Razor.3.2.3
• Microsoft.AspNet.Web.Optimization.1.1.3
• Microsoft.AspNet.WebHelpers.3.2.3
• Microsoft.AspNet.WebPages.3.2.3
• Microsoft.AspNet.WebPages.Data.3.2.3
• Microsoft.AspNet.WebPages.WebData.3.2.3
• Microsoft.CodeDom.Providers.DotNetCompilerPlatform.1.0.1
• Microsoft.jQuery.Unobtrusive.Validation.3.2.3
• Microsoft.Net.Compilers.1.0.0
• Microsoft.Owin.3.0.1
• Microsoft.Owin.Host.SystemWeb.3.0.1
• Microsoft.Owin.Security.3.0.1
• Microsoft.Owin.Security.Cookies.3.0.1
• Microsoft.Owin.Security.Facebook.3.0.1
• Microsoft.Owin.Security.Google.3.0.1
• Microsoft.Owin.Security.MicrosoftAccount.3.0.1
• Microsoft.Owin.Security.OAuth.3.0.1
• Microsoft.Owin.Security.Twitter.3.0.1
• Microsoft.Web.Infrastructure.1.0.0.0
• Modernizr.2.8.3
• Newtonsoft.Json.8.0.2
• Owin.1.0
• Respond.1.4.2
• WebGrease.1.6.0