+1-888-365-2779
Try Now
More in this section

Forums / General Discussions / Using login widget on SSL page

Using login widget on SSL page

8 posts, 0 answered
  1. Luis
    Luis avatar
    1 posts
    Registered:
    08 Dec 2008
    09 Oct 2012
    Link to this post
    Is there a way to use the login widget on a page that requires SSL without having to write custom code or handlers for it? The login widget works fine as long as I do not set "Require SSL" on the page properties.
  2. Craig
    Craig avatar
    82 posts
    Registered:
    07 Apr 2009
    15 Oct 2012 in reply to Luis
    Link to this post
    Just curious...

    • What version of Sitefinity are you using?
    • Are you using the backwards compatible Login widget or the NEW Login widget?  

     From what I understand, if you are using form authentication then you need to be using the backwards compatible Login widget and if you are using claims based authentication then you need to use the other Login widget.

    Just want to provide some clarification on the issue.  Thanks.
  3. Kevin
    Kevin avatar
    16 posts
    Registered:
    09 Feb 2012
    28 Jan 2013
    Link to this post

    I'm surprised someone from Telerik hasn't answered this question from October yet.

    I was also completely stumped on this issue until today. Setting any page with the login widget (Sitefinity v. 5.2, current widget version, using Claims authentication) to require SSL would result in "error:" and no explanation when the form was submitted.

    This obscure setting, in the regular Sitefinity documentation, worked for me:

    http://www.sitefinity.com/documentation/documentationarticles/user-guide/widgets/login-widgets-group/configuring-the-login-widget

    "If you are experiencing problems with the login when an SSL certificate is installed on the login page, click Administration » Settings » Advanced » Security. In AccessControlAllowOrigin, enter *. If this does not solve your problem, return its value to null."

    ** edit **

    The fix above worked for FireFox, but NOT for IE (ver. 9), which comes back with "error: undefined".

    Can someone from Telerik chime in? Not being able to encrypt login pages is a MAJOR security issue, and prevents PCI compliance.

    Thanks,
    Kevin

  4. Boyan Barnev
    Boyan Barnev avatar
    1429 posts
    Registered:
    02 Dec 2016
    29 Jan 2013
    Link to this post
    Hi everyone,

    We're sorry to hear about the issues you've experienced with the public login widget placed on a require SSL page. The behavior might be caused by an incorrect request to the STS, since you mentioned this is valid for Claims atuhentication cases.
    Can you please try configuring your <wsFederation> node in the application's web.config, as per the first step in the instructions we've provided for Securing a Sitefinity Backend with SSL , namely:

    1. Modify the web.config wsFederation node :
    <wsFederation passiveRedirectEnabled="true" issuer="https://localhost/Sitefinity/Authenticate/SWT" realm="http://localhost" requireHttps="true"/>

    If any issues persist, please do not hesitate to let us know, we'll be glad to help.

    Kind regards,
    Boyan Barnev
    the Telerik team
  5. Kevin
    Kevin avatar
    16 posts
    Registered:
    09 Feb 2012
    03 Feb 2013 in reply to Boyan Barnev
    Link to this post
    Boyan,

    Making that modification to the wsFederation node in web.config doesn't help. In fact, it breaks things further. Every page with the login widget now displays "error:" when credentials are submitted (even though the pages themselves are set to not require SSL). Even worse, now I can't get into the backend at all. When I attempt to go to http://[my web site]/sitefinity, the browser redirects to the following address, and the browser complains about not being able to connect:

    https://localhost/Sitefinity/Authenticate/SWT?realm=http%3a%2f%2f[my web site]%2f&redirect_uri=%2fsitefinity%2f&deflate=true

    In other words, it's telling the browser to find the backend on my local computer (localhost). I thought maybe the second step on the "Security a Sitefinity Backend with SSL" might help things, but there was no difference when I added that line to SecurityConfig.config. I couldn't continue to step 3, because I can't get into the backend to make page changes.

    I have since reverted my web.config file back to the original state, and while I still can't set SSL for any login pages, at least I can use them in non-SSL mode, and I can get back into the /sitefinity backend.

    Any ideas on what's wrong?

    Thanks,
    Kevin
  6. Atanas Valchev
    Atanas Valchev avatar
    414 posts
    Registered:
    04 Jan 2016
    06 Feb 2013
    Link to this post
    Hello,

    After investigating the issue in more detail. The proper way to resolve the issue in IE is to set it like so:
    <federatedAuthentication>
            <wsFederation passiveRedirectEnabled="true" issuer="http://localhost" realm="http://localhost" requireHttps="true"/>
            <cookieHandler requireSsl="false"/>
          </federatedAuthentication>

    and if you get the missing relying party error, just add the address from the error to the security config like so:
    <relyingParties>
            <add key="F033D3A3799B086BCB17ED59CD440F4B9FFB99830D862396ECDBEEBBE70C6487" encoding="Hexadecimal" realm="http://mysite.com" />
            <add key="F033D3A3799B086BCB17ED59CD440F4B9FFB99830D862396ECDBEEBBE70C6487" encoding="Hexadecimal" realm="https://mysite.com " />
        </relyingParties>

    A problem in IE is that the the widget is trying to call from https to http and IE classifies this as a crossdomain call and blocks it. This setting will resolve the problem.

    Greetings,
    Atanas Valchev
    the Telerik team
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  7. Kevin
    Kevin avatar
    16 posts
    Registered:
    09 Feb 2012
    07 Feb 2013
    Link to this post
    Atanas,

    Thank you-- I got the same answer via a support ticket today, and it works, with a couple caveats (that I'll paste in from my ticket):

    - Now any page that has the Login widget MUST be marked as "Requires SSL" in the backend, or it will break with the "error:" (Firefox) or "error: undefined" (IE). That's ok, because once I marked every login page as "Requires SSL" in the backend they worked fine, but I expect that will confuse some people at first with login pages not marked as "Requires SSL".

    - This also means that you can't have a site with mixed SSL and non-SSL login pages-- they all have to be one or the other. Not a problem for me, but may be for some.

    - The Sitefinity login page needs to be accessed via https now, as in: https://[my site]/sitefinity. If I leave it as http:// as before, it won't redirect to the dashboard correctly (throws an error), even though it does actually log me in (if I manually direct to the dashboard, it's ok). It doesn't seem to matter if the Sitefinity login page is marked as "Requires SSL" in the backend or not; the behavior is the same. This may be fixed if I mark all backend pages as requiring SSL (that's the next step).

    Thanks again-- this fixes a long period of hair-pulling. May I suggest that all of this be made more straightforward in future releases?
  8. Boyan Barnev
    Boyan Barnev avatar
    1429 posts
    Registered:
    02 Dec 2016
    12 Feb 2013
    Link to this post
    Hello Kevin,

    Thank you for getting back to us and providing your constructive feedback on the issue. 
    I have summarized it in a feature request which is also available in our public issue tracking portal here. You can track its status and vote for its popularity there.

    Please do not hesitate to let us know if there's anything else we can assist you with.

    Regards,
    Boyan Barnev
    the Telerik team
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
8 posts, 0 answered