+1-888-365-2779
Try Now
More in this section

Forums / Set-up & Installation / Sitefinity admin and SSL

Sitefinity admin and SSL

17 posts, 0 answered
  1. Marko
    Marko avatar
    148 posts
    Registered:
    30 Jul 2008
    24 Oct 2008
    Link to this post
    What's the recommended way for ensuring that Sitefinity admin area is SSL protected?  This would be in a situation where your public/production website also has the Admin portion accessible (i.e., www.mysite.com/sitefinity).  I know that the admin area will force you to log in, if you aren't already, but how I can I ensure that the authentication is done over SSL?

    Thanks.
  2. Georgi
    Georgi avatar
    3583 posts
    Registered:
    20 Sep 2016
    27 Oct 2008
    Link to this post
    Hello Marko,

    This is generally an IIS setting. You should tell IIS to treat everything under /Sitefinity as SSL secured path. Please keep in mind that you should then access this path with starting https:// prefix. Here is some more information about this - Implementing SSL in IIS.

    Best wishes,
    Georgi
    the Telerik team

    Check out Telerik Trainer, the state of the art learning tool for Telerik products.
  3. SelAromDotNet
    SelAromDotNet avatar
    912 posts
    Registered:
    18 Jul 2012
    27 Oct 2008
    Link to this post
    would it be possible to use the same mechanism for requiring ssl in sitefinity pages to also apply to the admin section? that way it can auto-detect http: and redirect to https: just like it does for the front end.

    thanks!
  4. Marko
    Marko avatar
    148 posts
    Registered:
    30 Jul 2008
    28 Oct 2008
    Link to this post
    I agree with what SelArom said...  I think this should be handled the same way as the rest of the SSL pages in sitemap.  when a user navigates to www.mysite.com/sitefinity, the page URL turns automatically to https://, and when the user goes to www.mysite.com/whatever the url goes back to http:// .
  5. Georgi
    Georgi avatar
    3583 posts
    Registered:
    20 Sep 2016
    29 Oct 2008
    Link to this post
    Hello,

    This approach cannot be used for the Admin because there is no way to determine if the request should be via the SSL protocol. In the public part this works because determine if the request should use SSL with the page property Require SSL. Generally here is pseudo code of this check:
    void context_BeginRequest(object sender, EventArgs e) 
        { 
            HttpContext context = HttpContext.Current; 
            HttpRequest request = context.Request; 
            if (request.IsSecureConnection) 
            { 
                ICmsUrlContext url = UrlHelper.GetUrl(context.Server.UrlDecode(HttpContext.Current.Request.Url.AbsolutePath)); 
                if (url != null && !url.RequireSSL
                { 
                   context.Response.Redirect(request.Url.AbsoluteUri.Replace("https://""http://"), true); 
                } 
            } 
        } 
     

    Best wishes,
    Georgi
    the Telerik team

    Check out Telerik Trainer, the state of the art learning tool for Telerik products.
  6. Marko
    Marko avatar
    148 posts
    Registered:
    30 Jul 2008
    31 Oct 2008
    Link to this post
    I decided that this is the easiest approach, at least for now), and it works for me:

    I opened the Sitefinity/Login.aspx.cs and added the following code (found here, originally) to the page_load:

            //this is the current url  
            System.Uri currentUrl = System.Web.HttpContext.Current.Request.Url; 
            //don't redirect if this is localhost 
            if (!currentUrl.IsLoopback) 
            { 
                if (!currentUrl.Scheme.Equals(Uri.UriSchemeHttps, StringComparison.CurrentCultureIgnoreCase)) 
                { 
                    //build the secure uri 
                    System.UriBuilder secureUrlBuilder = new UriBuilder(currentUrl); 
                    secureUrlBuilder.Scheme = Uri.UriSchemeHttps; 
                    //use the default port.  
                    secureUrlBuilder.Port = -1; 
                    //redirect and end the response. 
                    System.Web.HttpContext.Current.Response.Redirect(secureUrlBuilder.Uri.ToString()); 
                } 
            } 

    Any potential problems with this approach, other than the fact that it's assuming you have SSL setup on the site?  I'm thinking that can easily be overcome by introducing a variable in the web.config that says something like RunAdminOverHTTPS=true/false, which can then be checked in the code above.  If true, then redirect, if not, don't.... 
  7. Georgi
    Georgi avatar
    3583 posts
    Registered:
    20 Sep 2016
    04 Nov 2008
    Link to this post
    Hello Marko,

    Thank you for posting your solution, and contributing to the community!
    We do not see any potential problems with it, and having an option for enabling/disabling the SSL in the admin is really a good idea.

    Our task now is to get as much properties as possible out of the configuration file. We think to have a user friendly  UI for all options somewhere in the Admin, and I think we should consider this suggestion also.

    Thank you once again!

    Kind regards,
    Georgi
    the Telerik team

    Check out Telerik Trainer, the state of the art learning tool for Telerik products.
  8. SelAromDotNet
    SelAromDotNet avatar
    912 posts
    Registered:
    18 Jul 2012
    04 Nov 2008
    Link to this post
    I've just encountered another situation related to this. of course the login should be ssl enabled, but we have developed an intrasite module that allows us to view sensitive customer data. the sitefinity admin section is restricted to our internal network only, but this data should still be encrypted...

    i'm going to try to use the code given above (thanks btw) to secure this module but it really would be great to built this into sitefinity itself sometime down the road.

    I'll let you know how it goes
  9. Matthew
    Matthew avatar
    38 posts
    Registered:
    24 Jun 2012
    09 Oct 2009
    Link to this post
    Hello there,

    We have implemented the redirection approach as documented here. However, a couple points to note:

     

    When logged in, if a client want to use the “View Live Page in a new window” feature within the Administration area, they will require to remove the “s” from the https:// in the URL bar (otherwise the preview page will time out and they will not be able to see it). This is because Sitefintiy has some in-built mechanism to only display a page on the front-end of the site over SSL if the properties of that page have explicitly been set to Allow SSL. We could override the method upon preview to do another redirection but if a page did require SSL (and the page SSL properties were set as such) then the page would time out if it was not delivered over SSL.

    Wouldnt mind some comment from Sitefinity on why they have built the page properties SSL feature this way? as effectively the Admin cant use the site preview functionality if accessed over https://

  10. Roopesh
    Roopesh avatar
    39 posts
    Registered:
    29 Oct 2010
    25 May 2011
    Link to this post
    Hello Georgi ,

    Where to add this code?

    Thank you
    Roopesh


    void
     context_BeginRequest(object sender, EventArgs e) 
        { 
            HttpContext context = HttpContext.Current; 
            HttpRequest request = context.Request; 
            if (request.IsSecureConnection) 
            { 
                ICmsUrlContext url = UrlHelper.GetUrl(context.Server.UrlDecode(HttpContext.Current.Request.Url.AbsolutePath)); 
                if (url != null && !url.RequireSSL
                { 
                   context.Response.Redirect(request.Url.AbsoluteUri.Replace("https://""http://"), true); 
                } 
            } 
        } 
  11. Ivan Dimitrov
    Ivan Dimitrov avatar
    16072 posts
    Registered:
    19 Sep 2016
    27 May 2011
    Link to this post
    Hello ,

    You can create an HttpModule that inherits from CmsHttpModule and override ProcessSslRedirect method where you can control the way that ssl is handled. Basically you can mode the logic posted above there.

    Kind regards,
    Ivan Dimitrov
    the Telerik team
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  12. Dmitry
    Dmitry avatar
    4 posts
    Registered:
    15 Apr 2011
    07 Sep 2011
    Link to this post
    Hello Ivan,

    I have a question, I'm using Sitefinity 4.1 SP3 and i have not Telerik.Cms.dll that have CmsHttpModule Class. What can Ido? Where can I get it?
  13. Ivan Dimitrov
    Ivan Dimitrov avatar
    16072 posts
    Registered:
    19 Sep 2016
    07 Sep 2011
    Link to this post
    Hello Dmitry,

    You should replace SitefinityRoute though ObjectFactory using IoC ( inversion of control) and there override ProcessRedirects. To replace the route you can use Bootstraper and its static class RegisterRoutes. To each node which requires SSL we add attribute node.Attributes["RequireSsl"]; to identify it inside the context of the request.

    Best wishes,
    Ivan Dimitrov
    the Telerik team

    Thank you for being the most amazing .NET community! Your unfailing support is what helps us charge forward! We'd appreciate your vote for Telerik in this year's DevProConnections Awards. We are competing in mind-blowing 20 categories and every vote counts! VOTE for Telerik NOW >>

  14. Dmitry
    Dmitry avatar
    4 posts
    Registered:
    15 Apr 2011
    07 Sep 2011
    Link to this post
    Hello Ivan

    That was very quickly! Can you provide some code snippets and where have I to implement it? thx
  15. Ivan Dimitrov
    Ivan Dimitrov avatar
    16072 posts
    Registered:
    19 Sep 2016
    08 Sep 2011
    Link to this post
    Hi Dmitry,

    You can take a look at this post where I posted a code that shows how to replace the route.

    Greetings,
    Ivan Dimitrov
    the Telerik team

    Thank you for being the most amazing .NET community! Your unfailing support is what helps us charge forward! We'd appreciate your vote for Telerik in this year's DevProConnections Awards. We are competing in mind-blowing 20 categories and every vote counts! VOTE for Telerik NOW >>

  16. Dmitry
    Dmitry avatar
    4 posts
    Registered:
    15 Apr 2011
    31 Oct 2011
    Link to this post
    Hello Ivan,

    I have read your post about replacing the route. I did everything what was explained in this post but. I don't get to the GetRouteData method from my SitefinityRouteCustom class which inherits the SitefinityRoute. What should I do?

    Dmitry
  17. Stanislav Velikov
    Stanislav Velikov avatar
    1113 posts
    Registered:
    22 Sep 2016
    03 Nov 2011
    Link to this post
    Hi Dmitry,

    I am not sure what might have gone wrong. Can u send me the problematic implementation?

    Kind regards,
    Stanislav Velikov
    the Telerik team
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
Register for webinar
17 posts, 0 answered