Google Chrome Reporting Red "https" crossed out for Sign In Page

This is the place to report bugs and get support. When posting in this forum, please always provide as much detail as possible.

Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum, do not report it as a bug.

This is the place to report bugs and get support

When posting in this forum, please try to provide as many relevant details as possible. Particularly the following:

  • What operating system were you running when the bug appeared?
  • What database platform is your site using?
  • What version of mojoPortal are you running?
  • What version of .NET do you use?
  • What steps are necessary to reproduce the issue? Compare expected results vs actual results.
Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum.
This thread is closed to new posts. You must sign in to post in the forums.
8/30/2011 10:51:52 AM
Craig Littlewood
Gravatar
Total Posts 2
View Posts

Google Chrome Reporting Red "https" crossed out for Sign In Page

Hello

I have successfully installed mojoPortal version 2.3.6.7 .net4 medium trust, here in the UK on a web-site hosted by www.daily.co.uk.  Database is MSSQL.

I have also purchased the mobile kit, which is also working well.

However, I decided to add an SSL certificate (Rapid SSL) to encrypt login etc for security.  This is basically working, but I have two issues.

1. When clicking on "Sign In", sometimes the login page does not load, so I have to click again.

2. Google Chrome reports https in the address bar colored red and crossed out.

The latter issue means that Chrome has noticed "in-secure" links on the web page (I think).

I notice that running sign in on the mojoPortal web-site does not behave like this.

I think the problem may be down to the "Recover Password" hyperlink linking to "www.lwsdl.com/Secure/RecoverPassword.aspx", as opposed to "https:://www.lwsdl.com/Secure/RecoverPassword.aspx".  i.e. the https::/ prefix is missing.

You can try this by browsing to "www.lwsdl.com" and attempting to login.

Regards

Craig Littlewood

8/30/2011 12:47:41 PM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Google Chrome Reporting Red "https" crossed out for Sign In Page

Hi Craig,

When I view your login page in Firefox it says the certificate is not from a trusted authority. That kind of message usually is the result of using a self signed certificate rather than one issues by a certificate authority. But a certificate from Rapid SSL should not cause that so I'mnot sure why it is showing this message.

untrusted certificate

Browsers will also give a warning about a page having both secure and insecure content and that sounds like what you are seeing in Chrome. The problem is not caused by links that use http:// instead of https:// but it will be caused by images or javascript or CSS files that are loaded without https. Relative urls that start with / will inherit the https from the containing page but any images or javscript or css files loaded explicitely with http:// on a page using https:// will cause a browser warning.

On your site it looks to me like you have hard coded the link to the jquery ui css like this:

<link rel='stylesheet' type='text/css' href='http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.14/themes/start/jquery-ui.css' />

and that would cause a browser warning on a secure page.

In mojoPortal the StyleSheetCombiner control in the layout.master should load the jqueryui css correctly and adapt the url to https on secure pages. So for example on the login page of our demo site you would see

<link rel='stylesheet' type='text/css' href='https://ajax.googleapis.com/ajax/libs/jqueryui/1.8.14/themes/south-street/jquery-ui.css' />

So unless you did hard code it I'm not sure why it would not automatically adjust to https.

Hope that helps,

Joe

9/1/2011 5:24:08 AM
Craig Littlewood
Gravatar
Total Posts 2
View Posts

Re: Google Chrome Reporting Red "https" crossed out for Sign In Page

Hello Joe

Thanks for the quick response.

I enabled "debug" on my Google Chrome browser, and it reported security errors on various "http://ajax.googleapis.com/..." scripts and images as you suggested, but also on "http://www.gravatar.com/..".

However, I must stress that I have not made any modifications to this area of the site at all.  In fact, the only thing I have done is remove some links at the bottom of the page from layout.master for the skin I am using (artisteer-30verticalmenu1).  To confirm this has not caused the problem, I changed skins to "andreasviklund-02", but still got the same result.

I mentioned the "Recover Password" link not being https prefixed in my original post.  These links seem to be suffering the same problem.  How does the back end know to use "https" prefix.  i.e. is there something in the database settings that controls this?  Bear in mind that originally the site was installed without SSL certificate being available, and this was then retrofitted.  Could the installation have persisted any settings in this regard.

Thanks and regards

Craig

9/7/2011 1:34:54 PM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Google Chrome Reporting Red "https" crossed out for Sign In Page

Hi Craig,

Gravatar is not even used on the sign in page so I have no idea why that would happen unless you've put a gravatar in the skin or something to make it on every page. We use gravatar on this site and it causes no errors on secure pages such as the My Account page where SSL is used.

How it determines whether to force SSL is based on the SSLIsAvailable web.config setting. If that is true it will force SSL on pages such as login and register, user profile etc. Then on individual cms pages it is determined based on whether Require SSL On All Pages is checked in Site Settings or whether it is enabled on individual pages from Page Settings.

To determine if the current request is using SSL we have a helper method that is checked SiteUtils.IsSecureRequest()

internally this method checks against Request.IsSecureConnection but that won't return true in the case where the SSL is installed on a load balancer or a proxy server and not on the web server. In that case the communication between the load balancer/proxy server is coming in on port 80 and no SSL is installed on the web server so it is not encrypted on the web server side but the data is encrptyed going back to the client from the proxy which has the SSL certificate. Not sure if that is what your environment is like.

Most load balancers will pass a custom server variable to indicate a secure request and by configuration you can make mojoPortal detect that. It isn't documented yet how to do that so if that is your situation let me know and I'll go ahead and document it.

Hope that helps,

Joe

You must sign in to post in the forums. This thread is closed to new posts.