+1-888-365-2779
Try Now
More in this section

SSL login

1 posts, 0 answered
  1. Simon
    Simon avatar
    9 posts
    Registered:
    25 Jul 2004
    25 Jul 2011
    Link to this post
    We wanted to secure the Sitefinity login page (https), but then wanted to redirect the user to a non-secure (http) page after authentication. Additionally, we wanted to handle any requests for password protected web site pages with a custom login screen - non Sitefinity login screen.

    I created a httpmodule to implement this functionality. If anyone else is looking for something similar this might work for you too, or might be a good starting point for your own particular goal.

    To implement this create an "App_Code" directory in the root of your web site project, if one does not already exist. Then create a class file with the following code:
    using System;
    using System.Configuration;
    using System.Collections.Generic;
    using System.Linq;
    using System.Web;
     
     
    public class SslResponse : IHttpModule
     
    {
         
        public SslResponse()
        {
        }
     
        public string ModuleName
        {
            get { return "SslResponse"; }
        }
     
        public void Dispose()
        {
        }
     
        public void Init(HttpApplication application)
        {
            application.BeginRequest += new EventHandler(this.Application_BeginRequest);
        }
     
        private void Application_BeginRequest(object sender, EventArgs e)
        {
            HttpContext context = HttpContext.Current;
            Uri currentRequest = context.Request.Url;
     
            //Check for SSL requests in Admin after login and redirect to non-secure
            if (currentRequest.Scheme.Equals(Uri.UriSchemeHttps, StringComparison.CurrentCultureIgnoreCase))
            {
                if (!currentRequest.IsLoopback)
                {
                    if (!currentRequest.AbsolutePath.ToLower().Contains("/sitefinity/login.aspx"))
                    {
                        if (ConfigurationManager.AppSettings["nonSecureCMSAfterAuthentication"].ToLower() == "true")
                        {
                            if (currentRequest.AbsolutePath.ToLower().Contains("/sitefinity/"))
                            {
                                UriBuilder nonSslRedirect = new UriBuilder(currentRequest);
                                nonSslRedirect.Scheme = Uri.UriSchemeHttp;
                                nonSslRedirect.Port = -1;
                                context.Response.Redirect(nonSslRedirect.Uri.ToString());
                            }
                        }
                    }
                }
            }
     
     
            //Check for secure connection when logging in and check for non CMS login request
            if (currentRequest.AbsolutePath.ToLower().Contains("/sitefinity/login.aspx"))
            {
                if ((!string.IsNullOrWhiteSpace(currentRequest.Query) & !currentRequest.Query.ToLower().Contains("sitefinity")))
                {
                    if (!string.IsNullOrWhiteSpace(ConfigurationManager.AppSettings["nonCMSLogin"]))
                    {
                        context.Response.Redirect(ConfigurationManager.AppSettings["nonCMSLogin"] + currentRequest.Query);
                    }
                }
                else
                {
                    if (!currentRequest.IsLoopback)
                    {
                        if (ConfigurationManager.AppSettings["secureCMSLogin"].ToLower() == "true")
                        {
                            if (!currentRequest.Scheme.Equals(Uri.UriSchemeHttps, StringComparison.CurrentCultureIgnoreCase))
                            {
                                UriBuilder secureUrl = new UriBuilder(currentRequest);
                                secureUrl.Scheme = Uri.UriSchemeHttps;
                                secureUrl.Port = -1;
                                context.Response.Redirect(secureUrl.ToString());
                            }
                        }
                    }
                }
            }
     
        }
    }

    Next, in your web.config file add the following under the appsettings node:
    <!-- Security -->
    <add key="secureCMSLogin" value="True"/>
    <add key="nonSecureCMSAfterAuthentication" value="True"/>
    <add key="nonCMSLogin" value="~/web-user/web-user-login.aspx"/>

    Using the "nonCMSLogin" value you can define a login page to redirect users to for any secured non-admin resources.

    Next, within the web.config add the following to the httpmodules node:
    <add name="SslResponse" type="SslResponse, App_Code"/>

    And finally add the following to the <system.webserver><modules> node (also in web.config):
    <remove name="SslResponse"/>
    <add name="SslResponse" type="SslResponse, App_Code"/>

    Simon
1 posts, 0 answered