I suggest a setting in composite.config to specify whether https is required for accessing the console or not. I'm getting pretty tired of rolling out a custom Http Module each and every time :/
Comments: ** Comment from web user: mawtex **
Looking into this implementation for 4.0:
* New config file ~/App_Data/Composite/Configuration/C1ConsoleAccess.xml
* New landing page ~/Composite/unsecure.aspx (see attachment for prototype)
* Our existing ~/Composite request filter gets some new HTTPS check logic added to it
__Flow:__
For all ~/Composite HTTP requests, if C1ConsoleAccess.xml says "HTTPS only" we redirect to the new unsecure.aspx page.
On unsecure.aspx client script will check if HTTPS is working for the current host (make test XmlHttprequest to the https: variant) and auto-redirect the user to HTTPS if so. I.e. you get on HTTPS automatically, when it works.
If HTTPS is not working the user see the actual unsecure.aspx page (see attachment) - this offer a button that will set a "ignore HTTPS requirement" session cookie and redirect to top.aspx. I.e. you can still access the C1 Console using plain HTTP even if (and only if) HTTPS is not working.
The ability to xcopy a site back and forth between dev, staging, prod and be able to log in without changing config should become us developers well. We could make a AllowFallbackToHTTP setting in C1ConsoleAccess.xml which when false would prohibit this opt-in "developer backdoor".
The reasoning behind a unique config file (rather that web or composite.config) is to allow devs to disable the HTTPS requirement in their environments in a file they can easily avoid checking in.