SSL for the Admin?

Jan 7, 2011 at 3:42 PM

Just curious, but is there any work done or in the pipe for enabling SSL for authentication and admin panel stuff?  Just curious, as I can think of a lot of production scenarios where you'd want a site to be in mixed-mode (HTTP on public stuff, HTTPS for stuff behind authentication).

Coordinator
Jan 7, 2011 at 7:05 PM

Except if I'm missing something that is not an applicatinve feature: you can already do that in IIS.

Jan 8, 2011 at 3:37 PM
hm, I didn't realize you could force SSL on only certain paths, or based on the user's authentication state in IIS, I'll have to read up on that.

On Fri, Jan 7, 2011 at 2:06 PM, bertrandleroy <notifications@codeplex.com> wrote:

From: bertrandleroy

Except if I'm missing something that is not an applicatinve feature: you can already do that in IIS.

Read the full discussion online.

To add a post to this discussion, reply to this email (orchard@discussions.codeplex.com)

To start a new discussion for this project, email orchard@discussions.codeplex.com

You are receiving this email because you subscribed to this discussion on CodePlex. You can unsubscribe or change your settings on codePlex.com.

Please note: Images and attachments will be removed from emails. Any posts to this discussion will also be available online at codeplex.com


Jan 9, 2011 at 1:15 PM
JasperD wrote:

You can enable SSL encryption for pages that requires a login by setting the requireSSL attribute in Orchards web.config under sytem.web/authentication.

Your web.config should look like this:

<authentication mode="Forms"><forms cookieless="UseCookies" loginUrl="~/Users/Account/AccessDenied" requireSSL="true" timeout="2880" /></authentication>

(not sure if the loginUrl is correct)

You can set this option in IIS Manager too (Your Site -> Authentication -> Forms Authentication).

By setting requireSSL the auth cookie is saved in the https context and therefore not available in the http context. Hence the user is logged in as long as he request pages using https protocol but not if he uses http.

Unfortunately after you have sent your credentials you are redirected to http instead of https version. I'm not sure if this is due to misconfiguration (me) or if the redirect isn't properly implemented in Orchard.

@Jasper:  Yeah, that only affects login itself, I was looking on how to do the redirect for a whole area (e.g. Admin). 

Jan 9, 2011 at 6:54 PM
Edited Jan 9, 2011 at 7:44 PM

ah, of course... sorry, I wasn't thinking; thanks for keeping me straight.

Of course, that still doesn't do the redirect for you afaik, you have to either write your link to the login as https or else do some other redirect, which I guess is what I was trying to ask about originally; the equivalent to the requiressl attribute.

Jan 10, 2011 at 3:51 AM

Yeah, understood on the quick'n'dirty, I was trying to see if there was a facility built in already for a clean way; failing that I figured on coming up w/ a clean way. I don't think it's good for the general solution to go after the quick and dirty.  

I think that w/ the global filters in MVC 3, there's probably an angle we could work for letting a module inject some logic to handle this kind of thing, but I haven't worked through all the pro's and con's yet.

Jan 10, 2011 at 4:24 PM

Looking at some of the examples and source code, I'm not sure the absolute best way that would let you do it for existing content types (e.g. blog posts).  that said, one path might be to have a requireSSL field you could add to content types, and then look for that in a filter or the like.  I initially thought that you'd do it in a Handler, but those appear to be more CMS-side events (I may have missed it, but it looked like the wrong place to be calling for a redirect).  There is also a concept of a FilterProvider, which would let you add one or more ActionFilters it looks like, but I don't know how those get registered. 

Jan 24, 2011 at 8:12 PM

Has anyone figured out how to do this? To get Orchard to switch to SSL when the user is logging in, but go back to non-SSL mode for everything else?

Coordinator
Jan 27, 2011 at 4:38 AM

You asked for it, I did it ;) Not using those techniques though.

http://www.orchardproject.net/gallery/Packages/Modules/Details/Secure-Sockets-Layer-1-0

 

Coordinator
Jan 29, 2011 at 12:27 AM

Thanks for the feedback, I will test it. I have published the specific codeplex site so that we can use it now instead of Orchard's one.