SSL on all pages

This is an open forum for any mojoPortal topics that don't fall into the other categories.

This thread is closed to new posts. You must sign in to post in the forums.
2/22/2012 3:56:19 AM
Len
Gravatar
Total Posts 36
"It isn’t enough to think outside the box.Thinking is passive. Get used to acting outside the box."

SSL on all pages

Hi,

History tread https://www.mojoportal.com/Forums/Thread.aspx?thread=9739&mid=34&pageid=5&ItemID=3 

Operating System:  Win7 (Microsoft Windows NT 5.2.3790 Service Pack 2)

database platform:  MSSQL - net 40

mojoPortal Version :  2.3.8.1 MSSQL

ASP.NET Info:  v4.0.30319 Running in Partial Trust 

Can anyone advise me on how to config the SSL settings under the new version net4.0 - 2.3.8.1 been through just about everything I can find on mojoPortal documentation, forums and updated release notes.  

I recently updated from version net 3.5 - 2.3.6.4 my SLL was working fine on the required pages as I do not use SSL globally on the site. However since it was updated to version net3.5 - 2.3.8.1 it stopped working like it used to so. I tried updating to version net4.0 - 2.3.8.1 and still have the same problem.

 <add key="SSLIsAvailable" value="true" /> is set in user.config as it was before and no changes have been done to any page SSL setting.

The only time the site SSL works correctly is before login. Once logged in every page url is coming up with https://www.sitename.... which obviously requires SSL but the page setting is to not use SSL as adverts or external links are on the pages. Even pages that do have SSL settings are also coming up with errors. Have tried different browsers and from different desktops.  

Any advise or help would be appreciated

Len

2/22/2012 6:56:08 AM
Gravatar
Total Posts 18439

Re: SSL on all pages

Hi Len,

Yes there was a change. Once a user is authenticated we need to keep them in SSL for the remainder of their session to protect their authentication and role cookies from being stolen which would allow another user to access the site in the context of the user whose cookies he stole. The risk is mainly when using public wifi, but lots of people access the web over public wifi. Nowadays there are tools that make it trivial to sniff packets on a public network and if a user is authenticated but not using ssl then his cookies are passed in the clear in the request headers and can be sniffed easily. The same possibilities exist on a local network, but the risks are higher on a public network where strangers are also connected to the same network.

For more detail see the recent article Use SSL.

Best,

Joe

2/22/2012 7:05:53 AM
Len
Gravatar
Total Posts 36
"It isn’t enough to think outside the box.Thinking is passive. Get used to acting outside the box."

Re: SSL on all pages

Thanks Joe,

Tried all the setting as per your link but still can not get past SSL error warnings.

Chrome just runs with a slashed red https:/ Firefox ignores all warnings and IE will not let you log in unless you say "Yes"or "No" to the Security warning "Do you want to view only the webpage content that was delivered securely?"

I can't find out way this is happening.

Len 

2/22/2012 7:18:22 AM
Gravatar
Total Posts 18439

Re: SSL on all pages

Hi Len,

Those warnings are caused by things in your content that don't use relative urls, anything with src="http://" will cause those warnings on a secure page. If you use src="https://" or a relative url that starts with / like src="/" for anything that uses src= it will solve it.

Typically it will be images or javascript references that use src=

It could be things in your content or in your layout.master file that need to be fixed to use relative urls. For external scripts like Facebook, Twitter etc (anything that loads from another domain), you can use src="//" 

Hope that helps,

Joe

2/22/2012 7:21:16 AM
Len
Gravatar
Total Posts 36
"It isn’t enough to think outside the box.Thinking is passive. Get used to acting outside the box."

Re: SSL on all pages

Thanks Joe will look into that.

3/13/2012 10:10:03 AM
Len
Gravatar
Total Posts 36
"It isn’t enough to think outside the box.Thinking is passive. Get used to acting outside the box."

Re: SSL on all pages

Hi Joe,

My site seems to be running fine if and do not use SSL set to true. Have tried all as you advised but no matter what settings or changes I do it will not work.

Have tried using another skin in the site 1 skins folder so it runs with a different master config file and have even created a completely new skin with Artisteer 3 with the mojoPortal base skin artisteer31-headermenu from the extra-skins.zip file.

I tried to see what is going on in the System Log and all I get is the following info and errors nothing else. I have cleared the log history. Run the setup/default again and get no warnings or errors and still just get dozens of the follow lines in the system log.

2012-03-13 11:18:21,463 INFO 2012-03-13 11:18:21,478 INFO 2012-03-13 11:18:21,588 INFO 2012-03-13 11:18:21,588 INFO 2012-03-13 11:18:31,619 INFO 2012-03-13 11:22:06,902 INFO 2012-03-13 11:59:29,432 ERROR 2012-03-13 12:15:17,078 ERROR 2012-03-13 12:56:29,938 ERROR 2012-03-13 13:08:53,474 ERROR 2012-03-13 13:18:15,134 INFO

Any further help would be appreciated.

Thanks

Len

3/13/2012 10:17:01 AM
Gravatar
Total Posts 18439

Re: SSL on all pages

Hi Len,

There is no server error caused by a browser warning so there is nothing expected in the log.

I've told you all I know about the cuases and fixes for browser warnings caused when a page is using ssl but not all the resources on the page are using ssl. 

It doesn't have to be something in the skin causing it, it can be caused by something in your content such as an image or javascript that has src="http: 

Best,

Joe

3/13/2012 10:56:23 AM
Gravatar
Total Posts 18439

Re: SSL on all pages

If you give me an url that has the browser warning I can take a look and try to find out what is on the page causing it.

3/13/2012 12:55:20 PM
Len
Gravatar
Total Posts 36
"It isn’t enough to think outside the box.Thinking is passive. Get used to acting outside the box."

Re: SSL on all pages

Hi Joe,

I have setup as follows

<authentication mode="Forms">
<forms name=".mojochangeme" protection="All" timeout="50000000" path="/" cookieless="UseCookies" requireSSL="true" />

</authentication>

<httpCookies requireSSL="true" httpOnlyCookies="true" />

I can see that the lock is missing when on the below link but as soon as I move to a page that I have set the require SSL in page settings it comes on and all the url's on the site are https//:www this works in Firefox & IE but in chrome all url's are a striked out https:// and in red.

I have cleared the cookies but still get the same thing   

https://www.docuworx.co.za/Default.aspx

I have setup a demo temp user

demo@demo.co.za

demo1

Thanks

Len

3/13/2012 1:13:10 PM
Gravatar
Total Posts 18439

Re: SSL on all pages

All you have to do is view the source of that page and follow up on what I originally told you, search for src= then go through each one and look for any that have http and not https or not a relative url and that is the cause of the warning. It took me 2 seconds to find the  problems:

1st problem google ad script in 2 places on the page like this:

<script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js">

src="http is not secure

2nd problem Facebook badge:

<img style="border: 0px;" src="http://badge.facebook.com/badge/646107949.477.487349112.png" alt="" width="150" height="89" />

src="http is not secure

3rd problem Twitter badge:

<img src="http://twitter-badges.s3.amazonaws.com/follow_us-c.png" alt="Follow Len_leRoux on Twitter" />

src="http is not secure

Hope that helps,

Joe

3/13/2012 1:22:17 PM
Len
Gravatar
Total Posts 36
"It isn’t enough to think outside the box.Thinking is passive. Get used to acting outside the box."

Re: SSL on all pages

Thanks Joe

3/13/2012 1:53:44 PM
Len
Gravatar
Total Posts 36
"It isn’t enough to think outside the box.Thinking is passive. Get used to acting outside the box."

Re: SSL on all pages

Hi Joe,

src="//" not working for facebook or twitter so have to remove all from the pages

Thanks

 

Len

3/13/2012 1:59:24 PM
Gravatar
Total Posts 18439

Re: SSL on all pages

If // doesn't work just make them https:// I just tested both your twitter badge and facebook image with https and it worked.

Its ok to have src="https on any page even unsecured pages so I would do that.

Hope that helps,

Joe

3/13/2012 2:44:33 PM
Len
Gravatar
Total Posts 36
"It isn’t enough to think outside the box.Thinking is passive. Get used to acting outside the box."

Re: SSL on all pages

Thanks Joe getting there slowly. A few beer will be come your way soon.

For Google plus were do I place the code that needs to go into in head of the document tried doing it into the master config but it just does not like it

<!-- Place this tag in the <head> of your document -->
<link href="https://plus.google.com/****************" rel="publisher" /><script type="text/javascript">
window.___gcfg = {lang: 'en'};
(function()
{var po = document.createElement("script");
po.type = "text/javascript"; po.async = true;po.src = "https://apis.google.com/js/plusone.js";
var s = document.getElementsByTagName("script")[0];
s.parentNode.insertBefore(po, s);
})();</script>

<!-- Place this tag where you want the badge to render -->
<div class="g-plus" data-href="https://plus.google.com/*******************" data-width="200" data-height="131" data-theme="light"></div>

3/13/2012 2:49:49 PM
Gravatar
Total Posts 18439

Re: SSL on all pages

You don't need to do all that, we have a very simple built in control that you can out in layout.master wherever you want the plus button:

<portal:PlusOneButton id="plusone1" runat="server" showCount="false"/>

it will setup the script for you and it properly handles ssl

Hope that helps,

Joe

You must sign in to post in the forums. This thread is closed to new posts.