Archive
Monthly
Go
|
|
DNN Blog
Jul
26
Posted by:
Alec Whittington
7/26/2007
As many of you know, I work for a large hosting company, CrystalTech Web Hosting. My current position is officially titled 'Senior Developer", but I am more of a Jack of all Trades. I have done everything from server administration and troubleshooting to answering the phones in support. One of the things I have been asked frequently over this time period is what about support for SSL within DotNetNuke. The standard answer from me has always been that it will work with shared SSL, but not as the user wishes and that it would work with their own SSL certificate, but they might have to make the links manually so they can point them to the SSL URL .
Well those days are over! Starting with 4.5.4 a person can now easily enable SSL and Shared SSL support on their site. There are two locations that must settings must be set for this to work, Site Settings and Page Settings. Lets start off by looking at the Site Settings.
Site Settings
If you look under Advanced Settings -> SSL Settings you will see the following options:
- SSL Enabled - Check this to signify your site has SSL enabled. If you do not set this, marking a page as secure will have no effect.
- SSL Enforced - When this is set, pages that are not marked as secure will not be available via HTTPS.
- SSL URL - This is the SSL URL for your site. If you own your own SSL certificate, then you do not need to enter anything. This only is used for Shared SSL's. If you are using a Shared SSL, just enter the SSL link as specified by your hosting provider.
- Standard URL - If you are using a Shared SSL and specified a link in SSL URL, then you will need to provide the normal URL of your site.
Next we move on to Page Settings
Page Settings
Under Advanced Settings -> Other Settings you will find a new option, Secure. If you want a page to be served up via HTTPS, then you need to check this setting. As long as you or your Adminstrator has set the SSL Enabled setting to true (checked), then settings this to Secure would force the application to serve this page via HTTPS.
As you can see, setting up SSL for your DotNetNuke site is now easier than ever before. In this day and age of browser exploits, network sniffers, and malicious people, SSL is need to ensure your users their information is protected when sending it across the net to your site. Having SSL enabled lets your users know that you care about their information as much as they do and you are doing what is required to ensure the safety of that information.
10 comment(s) so far...
Re: 4.5.4 Shared SSL support
Is it possible that your Page Settings graphic is the wrong one? I don't see the word 'Other Settings' or even the 'Secure' option. (Also, the first sentence of the second paragragh indicates that it is NOT easier than ever. I assume you meant NOW easier than ever) I don't want to come across as picky, but I though you might want to fix it before too many people saw your post.
By juchytil on
7/26/2007
|
Re: 4.5.4 Shared SSL support
Thank you for pointing out the error in the paragraph. I am horrible at grammar. :)
The second picture is from the page settings. I can confirm this. It was taken from a fresh 4.5.4 installation and obtained from Admin -> Pages -> and either edit an existing or create a new page. This is not a special pre-release version and was obtained from the download menu at the top of the site.
By ncgoose on
7/26/2007
|
Re: 4.5.4 Shared SSL support
Alec, the image is cleary wrong. Try locating Other Settings and Secure option on it. :)
By vitkoz on
7/26/2007
|
Re: 4.5.4 Shared SSL support
Also, if one uses a shared SSL so that regular domain is www.yoursite.com and SSL is secure.myhosting.com - once a user logs in on an SSL and is returned back to the main site, the login will be "lost". So, this option for now would only work for "outbound" SSL communications like CC processing or file download and such. It won't work for DNN.com login scenario. Any thoughts?
By vitkoz on
7/26/2007
|
Re: 4.5.4 Shared SSL support
The image will be updated in a minute, I cut off the bottom when cropping, but I assure you the setting is there.<br><br>As for login, this is correct for shared login. For most people that want to use Shared SSL, it is not to secure the login, rather a Shopping Cart or Back-end area. Is it a limitation, yes clearly it is. But the real question is "Is it better than the current method"? I think yes it is. If one understands the limitations, they can secure all sensitive pages and force the user to login via HTTPS and then stay on the shared SSL site.
Ultimately the solution is for the user to purchase their own SSL certificate and use that, which the majority of businesses do. As stated above, it is better than what was before it, but it is not without issue. is anything really?
By ncgoose on
7/26/2007
|
Re: 4.5.4 Shared SSL support
That's right. I mentioned it mainly to help those who are less experienced with SSL related stuff and DNN authentication specifics. I already saw a number of questions related to this in forums. So, yes - this mod is awesome but has to be understood by general populace to be adequately accepted ;)
By vitkoz on
7/27/2007
|
Re: 4.5.4 Shared SSL support
And if I just locked myself out of my site... exactly how do I get back in?
Might have been the wrong URL, might have been a ghost in the machine.
Right now, I get a 403 and the website wants me to login.
What do I do?
By tantoedge on
8/23/2007
|
Re: 4.5.4 Shared SSL support
I host at CrystalTech, ApplesoftHosting.com, and I'm running DNN4.5.5. I have this information setup correctly, as it works periodically. It will work for 20 minutes or so, then the application starts throwing FileIO security errors and I have to get CrystalTech involved to fix it. While they respond to the request, it is not always handled in a timely manner. My problem has been forwarded to the next level of support, but I'm wondering if this is something being caused by the DNN application. It is becoming a problem, and I am trying to launch a production application to take orders, but can't if shared SSL keeps crashing.
De'Wayne Pitts
Applesoft Inc.
By depitts13 on
9/19/2007
|
Re: 4.5.4 Shared SSL support
Is there a way to stop the site from forcing the user to login twice. Once for the site, and once when the user selects a page that requires an SSL connection.
De'Wayne
Applesoft Inc.
By depitts13 on
9/19/2007
|
Re: 4.5.4 Shared SSL support
De'Wayne, I no longer work for CrystalTech and as such cannot support applications that are hosted there. You will need to work with their support team on the issue. I can tell you this much, use your own SSL and it will not be an issue.
By ncgoose on
9/23/2007
|
|