> > >

Enhancement

Secure Sockets Layer (SSL)

User Story

Currently, DotNetNuke does not officially support SSL. It's possible that it may work if the entire site was served up in SSL, from the first hit to the site...but there is no way to determine which functionality requires SSL, and which doesn't. For performance reasons, it's generally not advised to run your entire site on SSL because SSL does slow down the response of a web page.

The ideal situation is one where SSL can be required for a particular tab, and for login. Also, since IIS limits a single web site to a single SSL certificate, the solution will need to account for the possibility of many portal sites using SSL on a single, common domain.

Engineering Tasks

1. Move PortalAlias column out of Portals table and give it its own table.
a. Create PortalAlias table with the following columns:
-PortalAliasID
-PortalID
-HTTPAlias
-HTTPSAlias

2. Change configuration.vb - Add properties to PortalSettings for PortalAliasID, HTTPAlias, HTTPSAlias...keep PortalAlias for binary compatibility, but set its value to HTTPAlias. Also, change the objTab.URL to reflect the full path, including "http://" or "https://".

3. Add SecurityTokens table. When a site has a tab that requires SSL, a security token will be issued for the user in the form of a cookie...it will have the SecurityTokenGUID in it. When the user clicks on the tab to view the tab that requires SSL, the URL will have the HTTPS prefix added and the SecurityTokenID appended to the querystring. The SecurityToken system allows us to use a shared domain name for SSL that all portal sites can have access to...which falls within IIS's limitations of allowing only one SSL certificate per IIS website. The SecurityTokensTable will have these columns:
-SecurityTokenGUID
-SourcePortalAliasID
-DestinationPortalAliasID
-StartDate
-EndDate
The StartDate and EndDate are used to specify a period of time that the security token is valid. You can specify this in terms of minutes. This design reduces the possibility of a session getting hijacked.... When the security token expires, a new SecurityToken will be issued. The SourcePortalAliasID and DestinationPortalAliasID, in the case of SSL, will be the same. They are included in the table now to support cross-portal authentication in the near future. If you are on one portal and want to authenticate on another portal (in the same DNN installation) that you have access to, it will be possible with the security token.

4. Change Global.asax.vb to utilize the security tokens to force authentication if user is not already authenticated.

5. Change SolPartMenu.ascx.vb so it uses the security token as a querystring parameter when going to a tab that requires SSL.

6. Assure that there is no content being transmitted in HTTP on an HTTPS connection (images, .js files, etc.).

Owner

Dan Caron

Resources

DotNetNuke Corporation

DotNetNuke Corp. is the steward of the DotNetNuke open source project, the most widely adopted Web Content Management Platform for building web sites and web applications on Microsoft. Organizations use DotNetNuke to quickly develop and deploy interactive and dynamic web sites, intranets, extranets and web applications. The DotNetNuke platform is available in a free Community and subscription-based Professional and Enterprise Editions with an Elite Support option. DotNetNuke Corp. also operates the DotNetNuke Store where users purchase third party apps for the platform.

Community
- Get Involved
- Extension Forge
- Forum
- Blog
- Teams
- Recognition
Resources & Support
Partners
News Room
App Gallery
- The Store
- Extension Forge
What is DNN
Get Started
- Downloads
- Video Instruction
In Action
About Us
sales@dnncorp.com (650) 288 - 3150 (650) 288 - 3191

Hosted by MaximumASP