I saw identical behavior with a site I'm managing with a new SSL configuration, but MS ISA Server was not involved. In hosting environments which use load balancing such as Rackspace Cloud (Mosso) some code changes may need to be made to properly detect secure connections since they stop at the load balancer, and communication between the load balancer and the web server uses standard HTTP. Below are the changes I made to my application which seems to be working fine now.
public static void EnsureSSL()
{
// ES Edit - In a load balanced environment, Request.IsSecureConnection doesn't
// work due to non-secure communication between the load balancer and the web server
//if (!HttpContext.Current.Request.IsSecureConnection)
if (HttpContext.Current.Request.ServerVariables["HTTP_CLUSTER_HTTPS"] != "on")
{
if (SettingManager.GetSettingValueBoolean("Common.UseSSL"))
{
if (!HttpContext.Current.Request.Url.IsLoopback)
{
ReloadCurrentPage(true);
}
}
}
}
As you can see in the comments below, I also made some other changes to the handling of SSL for authenticated sessions that I wanted for my site, but there may be a case against it depending on individual situations. Also, there is probably a better way to implement these changes, and I'd love to hear them. :)
In Nop.Common\CommonHelper.cs:
public static void EnsureNonSSL()
{
// ES Edit - Added this override to enforce a secure connection on all pages when
// the user is authenticated
if (NopContext.Current.User != null && !NopContext.Current.User.IsGuest)
{
EnsureSSL();
}
else
{
// ES Edit - In a load balanced environment, Request.IsSecureConnection doesn't
// work due to non-secure communication between the load balancer and the web server
//if (HttpContext.Current.Request.IsSecureConnection)
if (HttpContext.Current.Request.ServerVariables["HTTP_CLUSTER_HTTPS"] == "on")
{
ReloadCurrentPage(false);
}
}
}
I then had the problem with prompts to display secure and non-secure content on pages that contain product images, so I made the following change in Nop.Common\PictureManager.cs:
public static string GetPictureUrl(Picture picture, int TargetSize, bool showDefaultPicture)
{
...
url = CommonHelper.GetStoreLocation(false) + "images/thumbs/" + localFilename;
// ES Edit - SSL breaking on pages containing images with non-secure URLs
if (HttpContext.Current.Request.ServerVariables["HTTP_CLUSTER_HTTPS"] == "on")
{
url = url.Replace("http://", "https://");
}
return url;
}
I hope this comes in handy for someone else!
Jason