Forums

Not answered Sitefinity admin and SSL

Feed from this thread

Marko

Posted on Oct 24, 2008 (permalink)

What's the recommended way for ensuring that Sitefinity admin area is SSL protected? This would be in a situation where your public/production website also has the Admin portion accessible (i.e., www.mysite.com/sitefinity). I know that the admin area will force you to log in, if you aren't already, but how I can I ensure that the authentication is done over SSL?

Thanks.

Reply

Georgi Georgi

Posted on Oct 27, 2008 (permalink)

Hello Marko,

This is generally an IIS setting. You should tell IIS to treat everything under /Sitefinity as SSL secured path. Please keep in mind that you should then access this path with starting https:// prefix. Here is some more information about this - Implementing SSL in IIS.

Best wishes,
Georgi
the Telerik team

Check out Telerik Trainer, the state of the art learning tool for Telerik products.

Reply

SelAromDotNet Master

Posted on Oct 27, 2008 (permalink)

would it be possible to use the same mechanism for requiring ssl in sitefinity pages to also apply to the admin section? that way it can auto-detect http: and redirect to https: just like it does for the front end.

thanks!

Reply

Marko

Posted on Oct 28, 2008 (permalink)

I agree with what SelArom said... I think this should be handled the same way as the rest of the SSL pages in sitemap. when a user navigates to www.mysite.com/sitefinity, the page URL turns automatically to https://, and when the user goes to www.mysite.com/whatever the url goes back to http:// .

Reply

Georgi Georgi

Posted on Oct 29, 2008 (permalink)

Hello,

This approach cannot be used for the Admin because there is no way to determine if the request should be via the SSL protocol. In the public part this works because determine if the request should use SSL with the page property Require SSL. Generally here is pseudo code of this check:

    
            void context_BeginRequest(object sender, EventArgs e) 
        
                { 
        
                    HttpContext context = HttpContext.Current; 
        
                    HttpRequest request = context.Request; 
        
                    if (request.IsSecureConnection) 
        
                    { 
        
                        ICmsUrlContext url = UrlHelper.GetUrl(context.Server.UrlDecode(HttpContext.Current.Request.Url.AbsolutePath)); 
        
                        if (url != null && !url.RequireSSL) 
        
                        { 
        
                           context.Response.Redirect(request.Url.AbsoluteUri.Replace("https://", "http://"), true); 
        
                        } 
        
                    } 
        
                } 
        
            }

Best wishes,
Georgi
the Telerik team

Check out Telerik Trainer, the state of the art learning tool for Telerik products.

Marko

Posted on Oct 31, 2008 (permalink)

I decided that this is the easiest approach, at least for now), and it works for me:

I opened the Sitefinity/Login.aspx.cs and added the following code (found here, originally) to the page_load:

        //this is the current url  
        System.Uri currentUrl = System.Web.HttpContext.Current.Request.Url; 
        //don't redirect if this is localhost 
        if (!currentUrl.IsLoopback) 
        { 
            if (!currentUrl.Scheme.Equals(Uri.UriSchemeHttps, StringComparison.CurrentCultureIgnoreCase)) 
            { 
                //build the secure uri 
                System.UriBuilder secureUrlBuilder = new UriBuilder(currentUrl); 
                secureUrlBuilder.Scheme = Uri.UriSchemeHttps; 
                //use the default port.  
                secureUrlBuilder.Port = -1; 
                //redirect and end the response. 
                System.Web.HttpContext.Current.Response.Redirect(secureUrlBuilder.Uri.ToString()); 
            } 
        } 

Any potential problems with this approach, other than the fact that it's assuming you have SSL setup on the site? I'm thinking that can easily be overcome by introducing a variable in the web.config that says something like RunAdminOverHTTPS=true/false, which can then be checked in the code above. If true, then redirect, if not, don't....

Georgi Georgi

Posted on Nov 4, 2008 (permalink)

Hello Marko,

Thank you for posting your solution, and contributing to the community!
We do not see any potential problems with it, and having an option for enabling/disabling the SSL in the admin is really a good idea.

Our task now is to get as much properties as possible out of the configuration file. We think to have a user friendly UI for all options somewhere in the Admin, and I think we should consider this suggestion also.

Thank you once again!

Kind regards,
Georgi
the Telerik team

Check out Telerik Trainer, the state of the art learning tool for Telerik products.

Reply

SelAromDotNet Master

Posted on Nov 4, 2008 (permalink)

I've just encountered another situation related to this. of course the login should be ssl enabled, but we have developed an intrasite module that allows us to view sensitive customer data. the sitefinity admin section is restricted to our internal network only, but this data should still be encrypted...

i'm going to try to use the code given above (thanks btw) to secure this module but it really would be great to built this into sitefinity itself sometime down the road.

I'll let you know how it goes

Reply

Matthew

Posted on Oct 9, 2009 (permalink)

Hello there,

We have implemented the redirection approach as documented here. However, a couple points to note:

When logged in, if a client want to use the “View Live Page in a new window” feature within the Administration area, they will require to remove the “s” from the https:// in the URL bar (otherwise the preview page will time out and they will not be able to see it). This is because Sitefintiy has some in-built mechanism to only display a page on the front-end of the site over SSL if the properties of that page have explicitly been set to Allow SSL. We could override the method upon preview to do another redirection but if a page did require SSL (and the page SSL properties were set as such) then the page would time out if it was not delivered over SSL.

Wouldnt mind some comment from Sitefinity on why they have built the page properties SSL feature this way? as effectively the Admin cant use the site preview functionality if accessed over https://

Reply

Roopesh

Posted on May 25, 2011 (permalink)

Hello Georgi ,

Where to add this code?

Thank you
Roopesh

void context_BeginRequest(object sender, EventArgs e)

{

HttpContext context = HttpContext.Current;

HttpRequest request = context.Request;

if (request.IsSecureConnection)

{

ICmsUrlContext url = UrlHelper.GetUrl(context.Server.UrlDecode(HttpContext.Current.Request.Url.AbsolutePath));

if (url != null && !url.RequireSSL)

{

context.Response.Redirect(request.Url.AbsoluteUri.Replace("https://", "http://"), true);

}

Ivan Dimitrov Ivan Dimitrov

Posted on May 27, 2011 (permalink)

Hello ,

You can create an HttpModule that inherits from CmsHttpModule and override ProcessSslRedirect method where you can control the way that ssl is handled. Basically you can mode the logic posted above there.

Kind regards,
Ivan Dimitrov
the Telerik team

Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items

Reply

Dmitry

Posted on Sep 7, 2011 (permalink)

Hello Ivan,

I have a question, I'm using Sitefinity 4.1 SP3 and i have not Telerik.Cms.dll that have CmsHttpModule Class. What can Ido? Where can I get it?

Reply

Ivan Dimitrov Ivan Dimitrov

Posted on Sep 7, 2011 (permalink)

Hello Dmitry,

You should replace SitefinityRoute though ObjectFactory using IoC ( inversion of control) and there override ProcessRedirects. To replace the route you can use Bootstraper and its static class RegisterRoutes. To each node which requires SSL we add attribute node.Attributes["RequireSsl"]; to identify it inside the context of the request.

Best wishes,
Ivan Dimitrov
the Telerik team

Thank you for being the most amazing .NET community! Your unfailing support is what helps us charge forward! We'd appreciate your vote for Telerik in this year's DevProConnections Awards. We are competing in mind-blowing 20 categories and every vote counts! VOTE for Telerik NOW >>

Reply

Dmitry

Posted on Sep 7, 2011 (permalink)

Hello Ivan

That was very quickly! Can you provide some code snippets and where have I to implement it? thx

Reply

Ivan Dimitrov Ivan Dimitrov

Posted on Sep 8, 2011 (permalink)

Hi Dmitry,

You can take a look at this post where I posted a code that shows how to replace the route.

Greetings,
Ivan Dimitrov
the Telerik team

Thank you for being the most amazing .NET community! Your unfailing support is what helps us charge forward! We'd appreciate your vote for Telerik in this year's DevProConnections Awards. We are competing in mind-blowing 20 categories and every vote counts! VOTE for Telerik NOW >>

Reply

Dmitry

Posted on Oct 31, 2011 (permalink)

Hello Ivan,

I have read your post about replacing the route. I did everything what was explained in this post but. I don't get to the GetRouteData method from my SitefinityRouteCustom class which inherits the SitefinityRoute. What should I do?

Dmitry

Reply

Stanislav Velikov Stanislav Velikov

Posted on Nov 3, 2011 (permalink)

Hi Dmitry,

I am not sure what might have gone wrong. Can u send me the problematic implementation?

Kind regards,
Stanislav Velikov
the Telerik team

Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items

Reply

Forums

Not answered Sitefinity admin and SSL

DevTools for .NET

Kendo UI

Test Studio

Sitefinity

TeamPulse

Call us

Anonymous

About Telerik