Skip to main content

Enabling SSL in Dotnetnuke and excluding few files from SSL Enforced process

We are using Dotnetnuke version 4.5.5 and implemented SSL effectively. We initially faced few issues which we resolved. I hope our learning will help others as well.

Our requirement was to use SSL on only pages that need to be secure and not on other pages. Also we do not want to see any alert message "This page contains both secure and non secure items".

To resolve the second issue we had to find any reference to non secure resource. In most of the case you probablly have a http link to any image. Best wat to find any HTTP link to image any JavaScript/CSS file is to view source and search for HTTP://. In our case the issue was due to Google Analytics code. This can be easily resolve by using the new code from Google Analytics.

Following are the steps you can follow to avoid all the issues:
1. Install SSL certificate
2. Login to portal using administrator or Host (super user) account.
3. Open Admin->Site Settings page.
4. Go to Advance settings-> SSL settings.
5. Check the "SSL Enable" check box. This option will enable "Secure" checkbox on the page->settings.
6. Now open the pages that you want to secure, e.g. shopping cart. Then click at page setting and then expand the advance setting. Now check the secure check box.
7. Do the same with other pages as well that you want to SSL enable.

Problem with about solution is that once user open any SSL enabled page then url automatically turned into https:// user. This is good but then user go to other pages and url still the https://. This is not good.

To resolve this issue you need to go back to Admin->Sit settings->advance settings->SSL settings and then
8. Check the "SSL Enforced" check box. When this option is set, Pages which are not marked as Secure will not be accessible with SSL and url will automatically change back to HTTP://.

problem with this solution is that is you using a page which is not a DNN page then you will not able to secure it. I mean you will not able to use HTTPS. DNN will always try to redirect back to http url. In our case we where using a ImagePage.aspx to retrieve the images from SQL database and display it on pages. On non-secure (non https)
pages that was working find but on secure pages DNN was trying to redirect imagepage url to http url. and that was breaking images.

We had two solution that either we write fully qualifies url wherever we were using imagepage aspx page to display images or change the DNN behaviour. We selected the second option and able to resolve the issue with single line of code. following is the solution.

Open the complete Dotnetnuke solution that includes library and website projects. Now open the following file:
DotNetNuke_04.05.05_Source\Library\HttpModules\UrlRewrite\UrlRewriteModule.vb.
Then open the following method:
Public Sub OnBeginRequest(ByVal s As Object, ByVal e As EventArgs)

Now change the following lines:

' manage secure connections
If ((Request.Url.AbsolutePath.ToLower.EndsWith(".aspx")) Then
TO
If ((Request.Url.AbsolutePath.ToLower.EndsWith(".aspx")) And (Request.Url.AbsolutePath.ToLower.Contains("imagepage.aspx") = False) And (Request.Url.AbsolutePath.ToLower.Contains("image.aspx") = False)) Then

OR change following lines:
' if a protocol switch is necessary
If ((strURL <> "") Then
TO
' if a protocol switch is necessary
If ((strURL <> "") And (Request.Url.AbsolutePath.ToLower.Contains("imagepage.aspx") = False) And (Request.Url.AbsolutePath.ToLower.Contains("image.aspx") = False)) Then

Here you can replace the "imagepage.aspx" & "image.aspx" with the pages you want to exclude the DNN SSL enforcement.

Compile the solution and you good to go.

Comments

  1. How did you SSL enable the login, register, admin, and host pages? They don't show up in the pages menu to mark the secure option.

    ReplyDelete
  2. Hi Matto, I believe you can use the same logic that I used for the "imagepage.aspx" & "image.aspx" pages to exclude the DNN SSL enforcement. You can use the same logic to find "ctl/login" & "ctl/register" in the URL and enforce SSL (reverce of what I did for imagepages).

    IF (Request.Url.AbsolutePath.ToLower.Contains("ctl/login") = True)) Then

    Please let me know how it work.

    ReplyDelete

Post a Comment

Popular posts from this blog

SharePoint WebPart Error - Unable to add selected web part (s) – MOSS 2007

ISSUE: Recently I faced this issue that when I try to deploy my WebPart.  Unable to add selected web part(s). WebPartName: Cannon unregister UpdatePanel with ID ‘ctl00RTMPanel’ since it was not registerd with the ScripManager. This might occure if the UpdatePanel was removed from the control tree and later added again, which is not supported. Parameter name: updatePanel.   I faced this issue twice and both the time the issue was not what display here. This could be sure to any error in the WebPart. Following are list resolution from multiple instances.   RESOLUTION: 1. Check the WebPartName.webpart file. Check whether you have a proper PublicKeyToken value. When I face the issue the value was PublicKeyToken=$PublicKeyToken$. If you have used WSP builder then in the Visual Studio you will find this file at \WebPartsProject\12\TEMPLATE\FEATURES\WebPartName\WebPartName.webpart. Sometime when you create a new WebPart using WSP builder then you do not get

TIME – 25 Best Blogs of 2009

Every year Time makes a list of best blogs in the world. They chose 25 blogs from millions of blogs in the world, spanning politics, housekeeping, astronomy and everything in between. Below if a direct link to the TIME website for the list. I also copied it to easy comparison of last year best with this year best blogs.   25 Best Blogs of 2009     25 Best Blogs 2008   25 Best Blogs of 2009 Talking Points Memo The Huffington Post Lifehacker Metafilter The Daily Dish by Andrew Sullivan Freakonomics BoingBoing Got2BeGreen Zen Habits The Conscience of a Liberal: Paul Krugman Crooks and Liars Generación Y Mashable Slashfood Official Google Blog synthesis bleat /Film Seth Godin's Blog Deadspin: Spor

Howto Run Your HTML Static Website Locally In IIS On Windows PC

WHAT & WHY: As a developer many time you may wish if you could run your static HTML website locally on your computer (Windows 7, Windows Vista, Windows XP, Windows 2008). Although with Static website, you could easily download and double click the index.html or home.html file to open and run other pages. But this will not give you the real world senario. For example you will not able to use a path like /images/home-page-banner.jpg. You will have to use a relative paths like ../images/home-page-banner.jpg. Following are very easy steps to do so. These steps are for Static HTML website. I will also post steps for more advance websites that uses ASP, ASP.NET, Dotnetnuke etc and uses database server.   WHAT YOU NEED: 1. IIS Server installed on your local machine 2. FTP username, password to download files form your FTP server 3. Administrative rights on local machine. Many task will display messages requesting Administrative privilege to run the task.    STEPS: 1.