|
|
Rank: Devotee
Joined: 3/31/2007
Posts: 66
Location: Switzerland
|
Thank a million
|
|
Rank: Enthusiast
Joined: 9/7/2007
Posts: 20
Location: UK
|
Thomas Höhler wrote:Søren Tidmand wrote:
Only I can't get back to http when hitting a link to a non-ssl-encrypted part from within the ssl-encrypted part of the site. Is there a way of ensuring that the false-statement in the MustUseSSL-property will result in a "redirect" to http? Or is it another bug caused by converting from .NET 2.0 into 1.1?
Surly I can add a property where you can define that all pages where MustUseSSL is not set or set to false is shown with HTTP. But be aware that some security issues can warn the user getting redirected fom an secure site to an unsecure site. I will do this at the weekend because my VS at home is broken. I have not time to reconfigure this till the weekend. Thomas I have found the same issue, it does not revert back from HTTPS connections to HTTP. I am using Umbraco 3 and .Net 2.0. I have a similar set-up to Søren, one area of the site requires HTTPS. I can browse around the non-SSL part of the site correctly, and then get redirected to HTTPS for the content with MustUseSSL property set to true. But whether the page has MustUseSSL set to false or MustUseSSL is not defined for the content type it does not go back to HTTP. Should this work? If I could have a look at the source code, then I could look into what is happening. Richard
|
|
Rank: Addict
Joined: 7/19/2006
Posts: 597
Location: Bad Homburg, Germany
|
First of all you can take a tool like Lutz Röder's .Net Reflector to see what is happening. But I can also say that this tool only checks the direction from http to https, not backwards. So I can do an update with a backward checking logic or I can share the code. Thomas
• 2007/2008 MVP • www.thoehler.com • Bad Homburg, Germany
|
|
Rank: Enthusiast
Joined: 9/7/2007
Posts: 20
Location: UK
|
Thomas Höhler wrote:First of all you can take a tool like Lutz Röder's .Net Reflector to see what is happening. But I can also say that this tool only checks the direction from http to https, not backwards. So I can do an update with a backward checking logic or I can share the code. Thomas Thomas, If you could update the tool to enable it to switch back from https to http that would be really useful. If you do not have the time, then I could have a look. Regards Richard
|
|
Rank: Addict
Joined: 7/19/2006
Posts: 597
Location: Bad Homburg, Germany
|
Richard wrote:
Thomas,
If you could update the tool to enable it to switch back from https to http that would be really useful. If you do not have the time, then I could have a look.
Regards
Richard
Hi Richard The old code was: Code:
protected void Page_Load(object sender, EventArgs e)
{
umbraco.presentation.nodeFactory.Node currentNode = umbraco.presentation.nodeFactory.Node.GetCurrent();
umbraco.presentation.nodeFactory.Property prop = currentNode.GetProperty("MustUseSSL");
if (prop != null && System.Xml.XmlConvert.ToBoolean(prop.Value) == true && Request.IsSecureConnection == false )
{
Response.Redirect(Request.Url.ToString().Replace("http", "https"), true);
return;
}
}
So, I think that what you want to achive is a threeway parameter: - Only use https - Only use http - use both (equal what you are using) If you need help for this I can do it for you. Thomas
• 2007/2008 MVP • www.thoehler.com • Bad Homburg, Germany
|
|
Rank: Enthusiast
Joined: 9/7/2007
Posts: 20
Location: UK
|
I agree, MustUseSSL will need to have three values "Yes", "No" and "Retain" (i.e. do not change).
Is this all of the code that is required for this functionality? Can you send me the project? I will update and test it and send it back.
Regards
Richard
|
|
Rank: Newbie
Joined: 12/11/2007
Posts: 3
|
Hi all, Hmmm, "checkssl" user control is a good idea! Every programmer will have a bit uncomfortable feel with it though ... like I had. It feels like we're doing one thing and then changing our mind. A lot processing is done before the system gets to the checkssl user control which does the redirect (if needed of course). We can avoid that by catching the request straight away - before the umbraco will start its processing. Well there's a solution out there, it's called WebPageSecurity (http://www.codeproject.com/KB/web-security/WebPageSecurity_v2.aspx) which does a great job in terms of http/https redirects. Installation:
Please follow the installation instructions found on the project page. What we need is to "force" it to work correctly with umbraco (modify one line in the source code), so the request processing will fire just before umbraco will put its shiny hands on it! :P -- SecureWebPageModule.cs (v3.1) Line 47: context.AcquireRequestState += new EventHandler(this.Application_ProcessRequest); Replace it with: context.BeginRequest += new EventHandler(this.Application_ProcessRequest); (reassign the event to fire at beginrequest) Obviously the http module configuration line has to be put before the umbraco's rewriting module configuration lines in web.config: <add name="UrlRewriteModule" type="UrlRewritingNet.Web.UrlRewriteModule, UrlRewritingNet.UrlRewriter"/> <add name="umbracoRequestModule" type="umbraco.presentation.requestModule"/>
That's it really! Hopefully this helps and it's quite clear for everyone. Kamil Essence Design Limited - http://www.essence-design.co.ukPS. Umbraco rocks !!! :P
|
|
Rank: Addict
Joined: 7/19/2006
Posts: 597
Location: Bad Homburg, Germany
|
As I saw in the code check ins on codeplex SSL support will be added in the next versions... So the core team should answer this question before we are doing work which is already done... Thomas
• 2007/2008 MVP • www.thoehler.com • Bad Homburg, Germany
|
|
Rank: Devotee
Joined: 9/12/2007
Posts: 58
Location: Honoluu, HI
|
Yes, Thomas I added SSL support for the umbraco backend so that the username/password will be transmitted securely. Try it out and let me know if theres something that I missed. To install: - download and build the latest source code version on codeplex - copy dlls to bin folder - add Code:<add key="umbracoUseSSL" value="true" /> to your web.config Thanks, John Cruz
|
|
Rank: Addict
Joined: 7/19/2006
Posts: 597
Location: Bad Homburg, Germany
|
Hi John, Am I right that the SSL support is only for the backend (umbraco folder)? The SSL support for existing folders like "/umbraco" can be done via IIS, so (imho) there is no need to do this for the "/umbraco" folder. A possibility to add SSL support for each content node in the umbraco content should be given via a predefined property (e.g. like umbracoRedirect). Thomas
• 2007/2008 MVP • www.thoehler.com • Bad Homburg, Germany
|
|
Rank: Devotee
Joined: 9/12/2007
Posts: 58
Location: Honoluu, HI
|
I will look into how I can implement SSL like how you suggested. I will keep you posted.
John
|
|
Rank: Fanatic
Joined: 3/15/2007
Posts: 378
Location: Cary, NC USA
|
Not sure if this will help anyone out or not but here's what we did... 1. force SSL on the umbraco directory: -make sure directories/files are flagged (or in this case /umbraco from application root) as requiring SSL via IIS -added a ensure https html file which redirects back to self if no https (see snapshot) -mapped 403;4 errors to above html file so all http request are redirected and sent to clients as https -voila, install/forced SSL  2. on a page/control level for all areas we want to "force" SSL inside umbraco we call the method below (could easily be wrapped into macro but we call it in our page load event of controls that we want to force SSL on) Method we use in our business component and controls to force SSL request: Code:
public void ForceSSL()
{
//get environment
System.Web.HttpContext context = System.Web.HttpContext.Current;
string strServer = context.Request.ServerVariables["SERVER_NAME"];
//force secure redirect if needed (also make sure not w3c validator)
if (!HttpContext.Current.Request.IsSecureConnection && HttpContext.Current.Request.UserAgent.IndexOf("W3C") == -1 && strServer.IndexOf("localhost") == -1)
{
HttpContext.Current.Response.Redirect("https://" + strServer + HttpContext.Current.Request.RawUrl, true);
}
}
then in our navigation xslt files (dropdown menus, side section-specific navs, breadcrumbs, etc) we call the method below wrapped in our own xslt extension library which can be used to force a fully-qualified non-https url of all the pages so if someone is on a https page, any link will go to a http page... XSLT method we use to output urls in various formats including fully qualified forced http:// paths Code:
public static string NiceUrlFullyQualifiedPath(int nodeId, bool isSsl, bool isOverride, bool isEncoded)
{
string proto = "http";
if (isSsl)
proto = "https";
if (isOverride && HttpContext.Current.Request.IsSecureConnection)
proto = "https";
if (isOverride && !HttpContext.Current.Request.IsSecureConnection)
proto = "http";
string niceUrl = umbraco.library.NiceUrl(nodeId);
if (niceUrl.IndexOf("http://") == -1 && niceUrl.IndexOf("https://") == -1)
niceUrl = proto + "://" + umbraco.library.RequestServerVariables("SERVER_NAME") + niceUrl;
if(isEncoded)
return HttpContext.Current.Server.UrlEncode(niceUrl);
else
return niceUrl;
}
|
|
Rank: Fanatic
Joined: 7/19/2006
Posts: 492
Location: Göteborg, Sweden
|
I just wanted to add the simplest way possible to perform a redirct to HTTPS aka SSL for any path within your umbraco installation. Use the included UrlRewriteNet module and add the following to the config file (/config/UrlRewriting.config): Code: <add name="EnforceSSLForUmbracoBackend" virtualUrl="http://(.*)/umbraco/(.*).aspx" rewriteUrlParameter="ExcludeFromClientQueryString" destinationUrl="https://$1/umbraco/$2.aspx" ignoreCase="true" redirect="Domain" redirectMode="Permanent"/> This will look for any domainname that loads a file from the folder /umbraco via http and rewrite it to HTTPS, as simple as that ; ) This will also match every page if you have a section named umbraco in your website of course. In that case add an extra " umbraco" to the virtualUrl and destinationUrl paths ; ) This could be complemented with additional rules for sensitive parts of your site like: <add name="EnforceSSLForWebshop" virtualUrl="http://(.*)/MyWebShop/(.*).aspx" rewriteUrlParameter="ExcludeFromClientQueryString" destinationUrl="https://$1/MyWebShop/$2.aspx" ignoreCase="true" redirect="Domain" redirectMode="Permanent"/>
" - Yeah I'd like to share your point of view, as long as it's my view too... ( http://www.d-a-d.dk/lyrics/pointofview)
|
|
|
Guest |