Using login widget on SSL page
Is there a way to use the login widget on a page that requires SSL without having to write custom code or handlers for it? The login widget works fine as long as I do not set "Require SSL" on the page properties.
Just curious...
I'm surprised someone from Telerik hasn't answered this question from October yet.
I was also completely stumped on this issue until today. Setting any page with the login widget (Sitefinity v. 5.2, current widget version, using Claims authentication) to require SSL would result in "error:" and no explanation when the form was submitted.
This obscure setting, in the regular Sitefinity documentation, worked for me:
www.sitefinity.com/.../configuring-the-login-widget
"If you are experiencing problems with the login when an SSL certificate is installed on the login page, click Administration » Settings » Advanced » Security. In AccessControlAllowOrigin, enter *. If this does not solve your problem, return its value to null."
** edit **
The fix above worked for FireFox, but NOT for IE (ver. 9), which comes back with "error: undefined".
Can someone from Telerik chime in? Not being able to encrypt login pages is a MAJOR security issue, and prevents PCI compliance.
Thanks,
Kevin
Hi everyone,
We're sorry to hear about the issues you've experienced with the public login widget placed on a require SSL page. The behavior might be caused by an incorrect request to the STS, since you mentioned this is valid for Claims atuhentication cases.
Can you please try configuring your <wsFederation> node in the application's web.config, as per the first step in the instructions we've provided for Securing a Sitefinity Backend with SSL , namely:
1. Modify the web.config wsFederation node :
<wsFederation passiveRedirectEnabled="true" issuer="https://localhost/Sitefinity/Authenticate/SWT" realm="http://localhost" requireHttps="true"/>
Boyan,
Making that modification to the wsFederation node in web.config doesn't help. In fact, it breaks things further. Every page with the login widget now displays "error:" when credentials are submitted (even though the pages themselves are set to not require SSL). Even worse, now I can't get into the backend at all. When I attempt to go to http://[my web site]/sitefinity, the browser redirects to the following address, and the browser complains about not being able to connect:
localhost/.../SWT web site]%2f&redirect_uri=%2fsitefinity%2f&deflate=true
In other words, it's telling the browser to find the backend on my local computer (localhost). I thought maybe the second step on the "Security a Sitefinity Backend with SSL" might help things, but there was no difference when I added that line to SecurityConfig.config. I couldn't continue to step 3, because I can't get into the backend to make page changes.
I have since reverted my web.config file back to the original state, and while I still can't set SSL for any login pages, at least I can use them in non-SSL mode, and I can get back into the /sitefinity backend.
Any ideas on what's wrong?
Thanks,
Kevin
Hello,
After investigating the issue in more detail. The proper way to resolve the issue in IE is to set it like so:
<federatedAuthentication> <wsFederation passiveRedirectEnabled="true" issuer="http://localhost" realm="http://localhost" requireHttps="true"/> <cookieHandler requireSsl="false"/> </federatedAuthentication><relyingParties> <add key="F033D3A3799B086BCB17ED59CD440F4B9FFB99830D862396ECDBEEBBE70C6487" encoding="Hexadecimal" realm="http://mysite.com" /> <add key="F033D3A3799B086BCB17ED59CD440F4B9FFB99830D862396ECDBEEBBE70C6487" encoding="Hexadecimal" realm="https://mysite.com " /> </relyingParties>Atanas,
Thank you-- I got the same answer via a support ticket today, and it works, with a couple caveats (that I'll paste in from my ticket):
- Now any page that has the Login widget MUST be marked as "Requires SSL" in the backend, or it will break with the "error:" (Firefox) or "error: undefined" (IE). That's ok, because once I marked every login page as "Requires SSL" in the backend they worked fine, but I expect that will confuse some people at first with login pages not marked as "Requires SSL".
- This also means that you can't have a site with mixed SSL and non-SSL login pages-- they all have to be one or the other. Not a problem for me, but may be for some.
- The Sitefinity login page needs to be accessed via https now, as in: https://[my site]/sitefinity. If I leave it as http:// as before, it won't redirect to the dashboard correctly (throws an error), even though it does actually log me in (if I manually direct to the dashboard, it's ok). It doesn't seem to matter if the Sitefinity login page is marked as "Requires SSL" in the backend or not; the behavior is the same. This may be fixed if I mark all backend pages as requiring SSL (that's the next step).
Thanks again-- this fixes a long period of hair-pulling. May I suggest that all of this be made more straightforward in future releases?
Hello Kevin,
Thank you for getting back to us and providing your constructive feedback on the issue.
I have summarized it in a feature request which is also available in our public issue tracking portal here. You can track its status and vote for its popularity there.
Please do not hesitate to let us know if there's anything else we can assist you with.
Regards,
Boyan Barnev
the Telerik team