+1-888-365-2779
Try Now
More in this section

Forums / Security / Custom account forms

Custom account forms

3 posts, 1 answered
  1. John Colclough
    John Colclough avatar
    7 posts
    Registered:
    05 Nov 2009
    07 Jun 2010
    Link to this post
    Hi everyone, I'm a new SiteFinity owner and am implementing this for my client. I am in the very early stages and am trying to get my setup as secure as possible whilst meeting my clients requirements.

    I've been reading Gabes post on SiteFinityWatch named "How to secure Sitefinity’s Administrative UI" so far I have created a new administrator user with a different name than admin, deleted the original admin user and have applied a more complex requirement for passwords in general.

    The site will have a registration process that will allow anonymous users to create accounts and I'm going to auto assign them to a role such as "users" or some other such role name. Two of Gabes suggestions confuse me as in one hand he advises to cut off the ~/sitefinity directory to anyone outside of the internal network (using a simple httpmodule) but then suggests renaming login.aspx to obscurelogin.aspx which is in the sitefinty folder? Surely it can only be one or the other if my client is to allow anonymous users to create accounts and therefore hit the login url from the web.config file which is currently set to ~/sitefinity/login.aspx?

    What feels natural to me is to create a page group named account that contains login.aspx, register.aspx, forgotpassword.aspx, changepassword.aspx and editprofile.aspx and just handle it all myself, is it OK to modify the default login url to a custom page outside of ~/sitefinity in the web.config file and thus stop using the ~/sitefinity/login.aspx, perhaps even deleting it?

    Also in this thread, thread SelArom suggests that cutting outside users off from the SiteFinity folder might not be such a good idea? Has this been confirmed or is it OK to just ban all users outside of the internal network access to the sitefinity folder?

    Loving the product so far and am looking forward to hopefully contributing more in the future,

    kind regards,
    John C.
  2. Ivan Dimitrov
    Ivan Dimitrov avatar
    16072 posts
    Registered:
    25 Nov 2016
    08 Jun 2010
    Link to this post
    Hello JOHN COLCLOUGH,

    Generally it depends on whether your users will access the backend or not. If you are going to provide only public access to the website and some resources you can cut off Sitefinity folder, but the better option would be just adding IIS IP restriction, so that only certain range of IP addresses can access the backend. All other requests will be automatically denied by the web server which is enough secured to protect the websites under it. Most of the templates of Sitefinity are embedded into Dlls so there would not be a problem to restrict this folder. We use IP restriction on Sitefinity.com and Telerik.com. As you can see there is no problem to access or view the website.

    What feels natural to me is to create a page group named account that contains login.aspx, register.aspx, forgotpassword.aspx, changepassword.aspx and editprofile.aspx and just handle it all myself, is it OK to modify the default login url to a custom page outside of ~/sitefinity in the web.config file and thus stop using the ~/sitefinity/login.aspx, perhaps even deleting it?

    This is valid only for the public part of the website.


    You might find this post useful - Building a secured Sitefinity website

    Greetings,
    Ivan Dimitrov
    the Telerik team

    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items.
    Answered
  3. John Colclough
    John Colclough avatar
    7 posts
    Registered:
    05 Nov 2009
    10 Jun 2010
    Link to this post
    Thanks for the response Ivan, and the link

    kind regards,
    John C
Register for webinar
3 posts, 1 answered