Signin Module Throws Exception Without SSL

This is the place to report bugs and get support. When posting in this forum, please always provide as much detail as possible.

Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum, do not report it as a bug.

This is the place to report bugs and get support

When posting in this forum, please try to provide as many relevant details as possible. Particularly the following:

  • What operating system were you running when the bug appeared?
  • What database platform is your site using?
  • What version of mojoPortal are you running?
  • What version of .NET do you use?
  • What steps are necessary to reproduce the issue? Compare expected results vs actual results.
Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum.
This thread is closed to new posts. You must sign in to post in the forums.
9/17/2013 6:58:40 AM
Stephen Gould
Gravatar
Total Posts 13
View Posts

Signin Module Throws Exception Without SSL

Steps to reproduce this error:

Using the current version of Mojoportal on the demo.mojoportal.com site

Log in as admin

Edit the home page

Add a sign in module in the right hand column

Logout

The login panel appears with the message: SSL is available but this page is not using SSL. When using the Sign In module on a page you should configure the page to use SSL

If you go ahead without switching on SSL you get redirected to the standard error page.

I have a site running  2.3.9.0 (without an SSL cert) in which this feature is working OK without SSL so if it is a bug it's crept in since then.

 

9/17/2013 8:27:10 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Signin Module Throws Exception Without SSL

Hi,

I'm not sure I can prevent that error except by changing configuration. The demo site is configured so that the authentication cookie is only passed between the server and browser for secure requests so login will fail on an insecure request resulting in an error because the cookie cannot be set. In fact if you login and then change to non ssl you will no longer appear logged in because the cookie is not passed on insecure requests.

I could configure the demo site less securely to always pass cookies to prevent this error by why should I? The whole point of the red message about ssl is not for visitors but for site administrators to configure things properly. If SSL is available and you want to put a sign in module on a page then you should go into page settings and require ssl for the page (or the whole site from site settings) to prevent passing authentication credentials insecurely.  There are lots of ways possible to cause errors by bad configuration.

If SSL is not available then one would not configure such that cookies can only be passed using ssl, the red message would not be shown and no error would happen. Errors are useful if they lead to correcting configuration problems and should not be masked or prevented in a way to encourage bad configuration. In this case SSL is available and should be used.

Joe

9/17/2013 9:10:22 AM
Stephen Gould
Gravatar
Total Posts 13
View Posts

Re: Signin Module Throws Exception Without SSL

Thanks for the speedy reply.

The login page doesn't behave like that, it either redirects to a secure connection or works without ssl if the site is not configured to use it. 

There must be a tidier way to deal with the issue than presenting the user with an error.

9/17/2013 9:32:21 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Signin Module Throws Exception Without SSL

The login page has code to force ssl if it is available, but I'm not sure that should be the job of a feature placed on a page ie I don't think I should add code in the module control to do the same.

I agree it is best to avoid the error but it is best to avoid it by correct configuration.

In this case the error happened on the demo site because I configured it to keep authentication cookie secure which is not default configuration since we cannot assume that ssl is even available in other installations this has to be set explicitly on purpose. However I agree that errors on the demo site don't help promote the product and should be avoided. So in this case since I cannot trust that people trying things out on the demo site will know how to make good choices in page settings or site settings I have just added a config setting to force ssl on all pages so this error cannot happen on the demo site and the red warning will also never be shown.

<add key="ForceSslOnAllPages" value="true" />

Myself I'm not a fan of the sign in module to begin with, I think security functions should be isolated on their own pages but people requested this feature and I provided it and tried to make it such that people will use it correctly and securely if they do use it.

9/17/2013 10:10:49 AM
Stephen Gould
Gravatar
Total Posts 13
View Posts

Re: Signin Module Throws Exception Without SSL

Thanks Joe. Sorry to bug you about it!

9/17/2013 4:45:08 PM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Signin Module Throws Exception Without SSL

Actually, after thinking about it more, I changed my mind and decided to make the module force ssl on the page if it is available. Had mixed feelings about doing that but in the end decided that was the best choice to ensure security and avoid errors. I'm glad you brought this to my attention.

Thanks,

Joe

You must sign in to post in the forums. This thread is closed to new posts.