DotNetNuke 4.5.4 introduced native support for SSL in the DotNetNuke framework.  During the testing phase and since it's release there has been some discussion (here, here and here) about the efficiency of the DotNetNuke implementation when shifting from http to https and vice versa.  It has been suggested that using Javascript, like that shown below, is much more efficient when performing the redirect.  

<script type="text/javascript">    if(location.protocol.toLowerCase() =='http:' &&         location.href.toLowerCase().indexOf('login') > -1 )               location.href = location.href.replace('http:','https:');    if(location.protocol.toLowerCase() =='https:' &&          location.href.toLowerCase().indexOf('login') == -1 )             location.href = location.href.replace('https:','http:');             </script>

So let's analyze the two methods to determine the best approach.  We'll begin by viewing the sequence diagrams for both implementations:

JavascriptRedirect ServerRedirect

In both approaches we see that there are three request/response round-trips to the server.  There are primarily 2 differences that are visible in the sequence diagrams:  1) the second round trip results in a normal page return for the javascript method while a 302 redirect is performed for the DotNetNuke implementation 2)  the final login page includes extra javascript in the javascript version versus not requiring javascript for the DotNetNuke implementation.

Just based on the sequence diagrams I would conclude that the DotNetNuke implementation is more efficient.  In the second step, the javascript version would have to return an entire webpage in order to get the javascript to perform redirect to the HTTPS protocol, while the DotNetNuke version uses a 302 redirect which is much more efficient.  The 302 redirect allows the browser to bypass all page parsing and immediately begin loading the correct page, while the javascript approach necessitates that the page get parsed, the images downloaded and some javascript get executed.  Not only is the page handling slower in the javascript method, but you also have the extra overhead for the full page being transmitted from the server to the browser.  Finally, because the server had to return the complete page for the javascript approach, it means that it would need to go through the entire ASP.Net page lifecycle to build up the login page, even though the browser is just going to perform a redirect once it receives the page.  By using the 302 redirect method, we can detect very early in the ASP.Net pipeline that we will need a redirect and therefore can short circuit the rest of the page processing and instead just return a redirect.

Instead of just relying on the sequence diagrams let's look at the actual web-traffic for further evidence of the better approach.  We are going to just look at the raw request/response cycles for the web-pages and will ignore any javascript, css or image requests since those will likely be coming from the local cache and should be exactly the same for the two approaches.  The javascript method was implemented by adding the javascript to the skin and did not require creating a custom login page.  The DotNetNuke method required the creation of a custom login page and setting the "secure" property on the page settings.  The raw requests and responses were collected using IEWatch and the raw results were saved as xml files.  I have linked to the files below, but have removed cookies and postdata headers in order to simplify the xml and to hide any potentially sensitive information.

Table 1:  SSL redirect using Javascript (download the raw http log)
Duration
(seconds)		MethodURLResultSize
(bytes)
0.096 POST http://localhost/dotnetnuke_2/default.aspx 302 46,365
0.092 GET http://localhost/dotnetnuke_2/Home/tabid/36/ctl/Login/Default.aspx?returnurl=%2fdotnetnuke_2%2fdefault.aspx 200 23,124
0.207 GET https://localhost/dotnetnuke_2/Home/tabid/36/ctl/Login/Default.aspx?returnurl=%2fdotnetnuke_2%2fdefault.aspx 200 23,129

Table 2:  DotNetNuke SSL redirect (download the raw http log)
Duration
(seconds)		MethodURLResultSize
(bytes)
0.041 POST http://localhost/dotnetnuke_2/Home/tabid/36/Default.aspx 302 46,520
0.009 GET http://localhost/dotnetnuke_2/SecureLogin/tabid/54/Default.aspx?returnurl=%2fdotnetnuke_2%2fHome%2ftabid%2f36%2fDefault.aspx 302 242
0.092 GET https://localhost/dotnetnuke_2/SecureLogin/tabid/54/Default.aspx?returnurl=%2fdotnetnuke_2%2fHome%2ftabid%2f36%2fDefault.aspx 200 24,452

The results of the actual HTTP analysis confirmed what I concluded from the sequence diagram.  The Javascript method is less efficient than using the built in DotNetNuke implementation.  Not only can you look at the size of the response page for the second request, but you can look at the speed of the response for the second request as well.

While DotNetNuke has not always made the best architectural choice for every feature, I think we can conclude in this case that the DotNetNuke implementation is actually very efficient.  I think this issue also shows why it is important to do your own analysis when someone makes a claim about DotNetNuke.  The DotNetNuke team is not perfect and we are always looking for ways to improve the platform, however, we try to be pretty diligent about testing claims to make sure we are not making the problem worse.  In this case I think we did our homework pretty well and have a good implementation that handles the most common use cases for SSL in the most efficient manner that we are aware of.