|
|
Rank: Enthusiast
Joined: 8/11/2006
Posts: 22
Location: Hedehusene, Denmark
|
I've to secure a part of a website with SSL, but I have no experience on how to do it. After searching the old Yahoo-group I found some input on the subject. But I would appreciate if somebody would be kind to point me in the right direction regarding setup.
home
- products
- news
- intranet (protected area with member-login)
- - - group A (only login)
- - - group B (ssl)
- - - group C (ssl)
Each of the "secured" groups will have to have an upload for documentation.
Best regards,
Søren
Freelace webdesigner - umbraco, xhtml, xslt, css, c#
|
|
Rank: Addict
Joined: 7/19/2006
Posts: 597
Location: Bad Homburg, Germany
|
Hi Sören Kalle droped this solution to me: In IIS add the certificate. Allow HTTP and HTTPS. Then you can add a property to the doctype like MustUseSSL or something like that. Then you can create a control "CheckSSL", add this at the front of your template. In the Control you can check if the Request was called with https or not. If not and the page has set MustUseSSL to true you can do a redirect to the same url with https. I have tested this and it worked fine. Thomas
• 2007/2008 MVP • www.thoehler.com • Bad Homburg, Germany
|
|
Rank: Umbracoholic
Joined: 7/20/2006
Posts: 1,074
Location: Charleston, West Virginia, United States
|
You should make your solution into a package and offer it to the masses... :-P Would you post your control?
• 2007/2008 MVP • 2008/2009 MVP • Certified • Licensing • Support • Development • Hosting •
|
|
Rank: Addict
Joined: 7/19/2006
Posts: 649
Location: Preston, UK
|
Thomas,
On a slighly different note you could possibly write http module that say checks if current page is umbraco log in page and redirect that via https so we have a more secure login for Umbraco?
Regards
Ismail
Level 2 certified. If it aint broke dont fix.
|
|
Rank: Enthusiast
Joined: 8/11/2006
Posts: 22
Location: Hedehusene, Denmark
|
Hi Thomas and Ismail,
thank you both for your input. It seems to be a straight forward solution. Only problem for me is that I've not yet reached the usercontrol building phase, so I would feel a bit uncomfortable trying to build it myself as it of course needs to be flawlessly secure(!).
I know it is much to ask for, but would any of you have an already build control that I could use?
/Søren
Freelace webdesigner - umbraco, xhtml, xslt, css, c#
|
|
Rank: Addict
Joined: 7/19/2006
Posts: 597
Location: Bad Homburg, Germany
|
Hi all I don't know if I can do this the next two days, but I will try to get all your ideas into a dll asap. Thomas
• 2007/2008 MVP • www.thoehler.com • Bad Homburg, Germany
|
|
Rank: Enthusiast
Joined: 8/11/2006
Posts: 22
Location: Hedehusene, Denmark
|
Hi Thomas.
Once again you're a great help! Thank you very much.
Best regards,
Søren
Freelace webdesigner - umbraco, xhtml, xslt, css, c#
|
|
Rank: Addict
Joined: 7/19/2006
Posts: 597
Location: Bad Homburg, Germany
|
Hi all made the solution I described in a dll with ascx. Download it here: thUmbracoHelpers How to install: place the dll into the bin of your umbraco and place the ascx into the usercontrols dir. Add a new macro, set it to the ascx (.Net User Control to "usercontrols/CheckSSL.ascx"). In your template add at the first line the created macro. In your DocumentType add a new property with the Alias "MustUseSSL" and type = "True/False". So this should do it. Remind this is made in .Net 2.0. In the next time I will try to take a look into packages and the handler. But I don't know if I will get the time. Thomas
• 2007/2008 MVP • www.thoehler.com • Bad Homburg, Germany
|
|
Rank: Addict
Joined: 7/19/2006
Posts: 597
Location: Bad Homburg, Germany
|
OK the link: http://www.diehoehlers.de/http://www.diehoehlers.de/media/383/thumbracohelpers.zip <a href="http://www.diehoehlers.de/media/383/thumbracohelpers.zip">Download</a> it seems that the link button does not work in Firefox Thomas
• 2007/2008 MVP • www.thoehler.com • Bad Homburg, Germany
|
|
Rank: Enthusiast
Joined: 8/11/2006
Posts: 22
Location: Hedehusene, Denmark
|
I've followed your instructions but encounter a problem getting the control to work. Would it be because of the fact that the site runs in .NET 1.1.4322?
/Søren
System.Web.HttpParseException: Parser Error: Could not load type 'thUmbracoHelpers.CheckSSL'. ---> System.Web.HttpException: Could not load type 'thUmbracoHelpers.CheckSSL'. at System.Web.UI.TemplateParser.GetType(String typeName, Boolean ignoreCase) at System.Web.UI.TemplateParser.ProcessMainDirective(IDictionary mainDirective) at System.Web.UI.TemplateControlParser.ProcessMainDirective(IDictionary mainDirective) at System.Web.UI.TemplateParser.ProcessDirective(String directiveName, IDictionary directive) at System.Web.UI.TemplateControlParser.ProcessDirective(String directiveName, IDictionary directive) at System.Web.UI.TemplateParser.ParseStringInternal(String text) at System.Web.UI.TemplateParser.ParseString(String text, String virtualPath, String basePhysicalDir) --- End of inner exception stack trace --- at System.Web.UI.TemplateParser.ParseString(String text, String virtualPath, String basePhysicalDir) at System.Web.UI.TemplateParser.ParseFile(String filename, String virtualPath) at System.Web.UI.TemplateParser.Parse() at System.Web.UI.TemplateParser.GetParserCacheItemThroughCompilation() at System.Web.UI.TemplateParser.GetParserCacheItemInternal(Boolean fCreateIfNotFound) at System.Web.UI.TemplateParser.GetParserCacheItemWithNewConfigPath() at System.Web.UI.TemplateParser.GetParserCacheItem() at System.Web.UI.TemplateControlParser.CompileAndGetParserCacheItem(String virtualPath, String inputFile, HttpContext context) at System.Web.UI.TemplateControlParser.GetCompiledType(String virtualPath, String inputFile, HttpContext context) at System.Web.UI.UserControlParser.GetCompiledUserControlType(String virtualPath, String inputFile, HttpContext context) at System.Web.UI.TemplateControl.LoadControl(String virtualPath) at umbraco.developer.assemblyBrowser.Page_Load(Object sender, EventArgs e)
Freelace webdesigner - umbraco, xhtml, xslt, css, c#
|
|
Rank: Addict
Joined: 7/19/2006
Posts: 597
Location: Bad Homburg, Germany
|
try this: <a href="http://www.diehoehlers.de/media/386/thumbracohelpers11.zip">thUmbracoHelpers11</a> Thomas
• 2007/2008 MVP • www.thoehler.com • Bad Homburg, Germany
|
|
Rank: Enthusiast
Joined: 8/11/2006
Posts: 22
Location: Hedehusene, Denmark
|
Hi Thomas.
I tried all day yesterday to get the Usercontrol to work, unfortunately without succeeding though.
The whole site is allowed to work with http and https in the IIS. That means the certificat is activated and the site is running smoothly with and without SSL. The problem is that the pages using the template with the CheckSSL-macro don't get redirected. Instead they are being forced only to be shown with https even if the MustUseSSL-property is set to false.
Am I missing something?
Regards,
Søren
Freelace webdesigner - umbraco, xhtml, xslt, css, c#
|
|
Rank: Addict
Joined: 7/19/2006
Posts: 597
Location: Bad Homburg, Germany
|
Hi Sören bug: I used <> instead of = try this again: http://www.diehoehlers.de/media/386/thumbracohelpers11.zipThomas
• 2007/2008 MVP • www.thoehler.com • Bad Homburg, Germany
|
|
Rank: Enthusiast
Joined: 8/11/2006
Posts: 22
Location: Hedehusene, Denmark
|
Hi Thomas.
I'm sorry to bother you again. Now the macro runs although the redirect address does result in an error:
No node found (https://www.xxxxxx.com/default.aspx?umbPage=/default.aspx&umbPage=/intranet/yyyyyy.aspx, '/root/node/node [@urlName = "default,"]/node [@urlName = "intranet"]/node [@urlName = "yyyyyy"]')
The second problem seems to be that the macro won't automatically get you back to the non-ssl part of the site as every link on the ssl-pages have https in front of the address and there is no "re-redirect". Please correct me if I'm missing anything or doing it wrong. I've put the macro as the first line of the main template.
/Søren
Freelace webdesigner - umbraco, xhtml, xslt, css, c#
|
|
Rank: Addict
Joined: 7/19/2006
Posts: 597
Location: Bad Homburg, Germany
|
Ok It seems thath the URL function in .Net 2.0 and 1.1 doesn't have the same return values. Try downloading again (Use the link before). I changed the redirecturl manually. hth, Thomas
• 2007/2008 MVP • www.thoehler.com • Bad Homburg, Germany
|
|
Rank: Enthusiast
Joined: 8/11/2006
Posts: 22
Location: Hedehusene, Denmark
|
Hi Thomas.
It's getting better and better each time. Only I can't get back to http when hitting a link to a non-ssl-encrypted part from within the ssl-encrypted part of the site. Is there a way of ensuring that the false-statement in the MustUseSSL-property will result in a "redirect" to http? Or is it another bug caused by converting from .NET 2.0 into 1.1?
I really appreciate all your efforts in helping me out.
/Soren
Freelace webdesigner - umbraco, xhtml, xslt, css, c#
|
|
Rank: Addict
Joined: 7/19/2006
Posts: 597
Location: Bad Homburg, Germany
|
Søren Tidmand wrote:
Only I can't get back to http when hitting a link to a non-ssl-encrypted part from within the ssl-encrypted part of the site. Is there a way of ensuring that the false-statement in the MustUseSSL-property will result in a "redirect" to http? Or is it another bug caused by converting from .NET 2.0 into 1.1?
Surly I can add a property where you can define that all pages where MustUseSSL is not set or set to false is shown with HTTP. But be aware that some security issues can warn the user getting redirected fom an secure site to an unsecure site. I will do this at the weekend because my VS at home is broken. I have not time to reconfigure this till the weekend. Thomas
• 2007/2008 MVP • www.thoehler.com • Bad Homburg, Germany
|
|
Rank: Devotee
Joined: 3/31/2007
Posts: 66
Location: Switzerland
|
Where has the zip file gone???
|
|
Rank: Addict
Joined: 7/19/2006
Posts: 597
Location: Bad Homburg, Germany
|
It's gone with the wind... Sorry, I will post a new link the next days. First I have to find it again... Thomas
• 2007/2008 MVP • www.thoehler.com • Bad Homburg, Germany
|
|
Rank: Addict
Joined: 7/19/2006
Posts: 597
Location: Bad Homburg, Germany
|
I found them: EN: www.thoehler.comDE: www.thoehler.comThomas
• 2007/2008 MVP • www.thoehler.com • Bad Homburg, Germany
|
|
|
Guest |