Why do we allow duplicate content via http\https?
If I have a page set to not require ssl...I expect sitefinity to not allow it to be served (redirect automatically) via https.
http://www.homepage.com (great, no ssl set)
https://www.homepage.com (wtf, why is this working)
Shouldn't need a custom redirect module to handle this...
Hi Steve,
This used to work fine but I found that it broke while upgrading to 6.1 SP1. I have reported it and it has been confirmed as a bug. I'm not sure yet when it will be fixed, but I assume and expect very soon.
Hi all,
In Sitefinity 5.x and 6.0 versions there were a problem that has been fixed in Sitefinity 6.1:
SSL: Sitefintiy performs redirect to the non-secured page even if SSL is applied on site level
For your convenience please review our release notes.
In Sitefinity 6.1 the default behavior is the following:
RequireSSL property defines whether a page will be under SSL or not. If you have applied SSL binding for the whole site but your page does not require SSL, when you request for example:
So what you're saying is Sitefinity allows the entire site to be indexed onto search engines twice...and that's the desired behavior?
We don't have SSL for the whole site, only 2-3 pages...so I would expect Sitefinity to not serve the rest of the pages under SSL.
Stefani,
This is undesired behavior and it has already been confirmed and logged for fixing (see support ticket #728673).
It's simply not acceptable to serve regular content under https too, for the reasons Steve explained, but also because third party code that may be embedded in pages (like banners) can cause problems (SSL warnings).
Steve,
I just got the confirmation that this will be fixed quickly: "It will most likely be fixed in the next immediate release".
One burned, twice shy :)
...I'll believe it when I see it, I've heard that too many times before. I have my own logic to check this in my masterpage with a config toggle in the backend. If they add it I can disable my logic...until then I'm back working.
Hi all,
We totally agree with you that the problem is caused by a bug. Thank you for all the additional steps you have sent. Please find the bug description in PITS on the following URL. The bug is marked as critical and it will be fixed soon.
Regards,
Stefani Tacheva
Telerik
Hello Steve, Arno,
As the page property is named "Require Ssl" and when it is marked - it is easy to understand that the page should be served via https. But when the property value is "false" this means it does not require ssl and it does not obligate you to serve the page neither via http nor via https.
In fact the in 6.1 we've fixed this behavior because there were clients that require their pages to be available on https if they request them using ssl and they do not want their pages to require ssl.
We understand your concerns and now we're going to add a global configuration - RemoveNonRequiredSsl (turned off by default). And you will be able to turn it on in order to insist for such redirects and the pages that does not require ssl will be available only on http.
I hope this will be ok for you and the rest of our clients. (Please keep in mind that the default behavior should conform with the name of the property "require ssl").
Regards,
DimBo
Telerik
Hi DimBo,
This sounds good to me. Is this still planned for the "next immediate release" as discussed in the support ticket?
More than perfect, everyone will be happy :)
Hi guys,
I'm glad to hear your positive feedback and yes it will be part of the next release (6.1 SP2).
Have a nice day,
DimBo
Telerik
Hi guys,
It looks like this is still an issue in Sitefinity 7. Please let me know if there is a setting that I am missing.
Thanks.
Hi JGarland,
Please check this.
Any update on this? I'm having the same problem on v7.1
Hi
Regarding the following problem:
feedback.telerik.com/.../100718-visiting-a-page-under-https-causes-all-subsequent-pages-to-be-served-under-https
It has been resolved in Sitefinity 6.2 SP2.
A configuration has been introduced in order to support the old behavior.
Settings > Advanced > System > SiteUrlSettings > Remove ssl when the page does not require it