20 March 2008

We are using Dotnetnuke version 4.5.5 and implemented SSL effectively. We initially faced few issues which we resolved. I hope our learning will help others as well.

Our requirement was to use SSL on only pages that need to be secure and not on other pages. Also we do not want to see any alert message "This page contains both secure and non secure items".

To resolve the second issue we had to find any reference to non secure resource. In most of the case you probablly have a http link to any image. Best wat to find any HTTP link to image any JavaScript/CSS file is to view source and search for HTTP://. In our case the issue was due to Google Analytics code. This can be easily resolve by using the new code from Google Analytics.

Following are the steps you can follow to avoid all the issues:
1. Install SSL certificate
2. Login to portal using administrator or Host (super user) account.
3. Open Admin->Site Settings page.
4. Go to Advance settings-> SSL settings.
5. Check the "SSL Enable" check box. This option will enable "Secure" checkbox on the page->settings.
6. Now open the pages that you want to secure, e.g. shopping cart. Then click at page setting and then expand the advance setting. Now check the secure check box.
7. Do the same with other pages as well that you want to SSL enable.

Problem with about solution is that once user open any SSL enabled page then url automatically turned into https:// user. This is good but then user go to other pages and url still the https://. This is not good.

To resolve this issue you need to go back to Admin->Sit settings->advance settings->SSL settings and then
8. Check the "SSL Enforced" check box. When this option is set, Pages which are not marked as Secure will not be accessible with SSL and url will automatically change back to HTTP://.

problem with this solution is that is you using a page which is not a DNN page then you will not able to secure it. I mean you will not able to use HTTPS. DNN will always try to redirect back to http url. In our case we where using a ImagePage.aspx to retrieve the images from SQL database and display it on pages. On non-secure (non https)
pages that was working find but on secure pages DNN was trying to redirect imagepage url to http url. and that was breaking images.

We had two solution that either we write fully qualifies url wherever we were using imagepage aspx page to display images or change the DNN behaviour. We selected the second option and able to resolve the issue with single line of code. following is the solution.

Open the complete Dotnetnuke solution that includes library and website projects. Now open the following file:
DotNetNuke_04.05.05_Source\Library\HttpModules\UrlRewrite\UrlRewriteModule.vb.
Then open the following method:
Public Sub OnBeginRequest(ByVal s As Object, ByVal e As EventArgs)

Now change the following lines:

' manage secure connections
If ((Request.Url.AbsolutePath.ToLower.EndsWith(".aspx")) Then
TO
If ((Request.Url.AbsolutePath.ToLower.EndsWith(".aspx")) And (Request.Url.AbsolutePath.ToLower.Contains("imagepage.aspx") = False) And (Request.Url.AbsolutePath.ToLower.Contains("image.aspx") = False)) Then

OR change following lines:
' if a protocol switch is necessary
If ((strURL <> "") Then
TO
' if a protocol switch is necessary
If ((strURL <> "") And (Request.Url.AbsolutePath.ToLower.Contains("imagepage.aspx") = False) And (Request.Url.AbsolutePath.ToLower.Contains("image.aspx") = False)) Then

Here you can replace the "imagepage.aspx" & "image.aspx" with the pages you want to exclude the DNN SSL enforcement.

Compile the solution and you good to go.

Tagged:

2 comments:

  1. How did you SSL enable the login, register, admin, and host pages? They don't show up in the pages menu to mark the secure option.

    ReplyDelete
  2. Hi Matto, I believe you can use the same logic that I used for the "imagepage.aspx" & "image.aspx" pages to exclude the DNN SSL enforcement. You can use the same logic to find "ctl/login" & "ctl/register" in the URL and enforce SSL (reverce of what I did for imagepages).

    IF (Request.Url.AbsolutePath.ToLower.Contains("ctl/login") = True)) Then

    Please let me know how it work.

    ReplyDelete

Note: Only a member of this blog may post a comment.