More SSL Questions

If you have questions about using mojoPortal, you can post them here.

You may want to first review our site administration documentation to see if your question is answered there.

This thread is closed to new posts. You must sign in to post in the forums.
6/6/2012 8:55:36 PM
Gravatar
Total Posts 81
Website Hobbyist and Software Engineer
Proud member of the mojoPortal team
www.doan.me

More SSL Questions

Joe and all,

I am almost ashamed to admit this, but I have never ventured into SSL land before. So I am a newbie. I got my SSL cert and had Arvixe install it. I have my mojoPortal instance set up and I get SSL on my site. But now I am finding that I display a lot of non-secure content on my site. I have been able to fix most of them with the help of Chrome's developer tools, but there are just some instances where I want/need to display certain non-secure content (i.e. Google Adsense - that from a little bit of research does not seem to have an SSL solution, but did find a work around to hide it when page is https).

I located this forum post here on mojoPortal where you stated that if a page is not marked for SSL that it will redirect to HTTP. I am not experiencing that, at least not with the following steps followed.

  1. User accesses the site unauthenticated with an http URL
  2. User clicks Sign In and is redirected to the Log in page with an https URL
  3. User logs in and is returned to home page, but URL is now https and browser alerts user the page contains non-secure content

The site setting of Require SSL on All Pages is unchecked. The Require SSL pages setting for the home page is unchecked.

Am I still missing something? Is there more configuration required to for a page to be non-SSL?

Along those lines, I have an RSS feed to the mojoPortal Blog on my website. The RSS feed contains a lot of un-secure content as well. Is there a way to get the RSS feed with secure content? Otherwise, the redirect to http instead of https would be again be the desire.

Thanks in advance for all replies.

Kerry

6/7/2012 4:31:06 PM
Gravatar
Total Posts 18439

Re: More SSL Questions

Hi Kerry,

We've changed the behavior of mojoPortal to try to keep you in ssl once you have started an ssl session. This is discussed in the article Use SSL.

Basically once you are signed in we want to keep you in ssl to protect your authentication and role cookies from being stolen which would allow another person to access your site with your privileges. We do this by using relative urls as much as posisble since these will inherit the protocol from the current page so once you get into ssl it generally stays in ssl unless you click a link that explicitly uses http.

I've encountered this same problem on this site with adsense. If you only configure adsense for text based ads, it works fine on secure pages but if you allow rich media or images it can result in browser warnings.

The only real solution is for google to fix adsense so it fully supports ssl for ads. It is actually kind of mind blowing that they haven't done this since they led the charge to use ssl everywhere in their other services.

You "could" go back to the old behavior by adding this to user.config:

<add key="ClearSslOnNonSecurePages" value="true" />

but then the downside is that you will either put your cookies at risk or you will appear to be not logged in on insecure pages if you use the recommended settings to protect the authentication cookie as discussed in the linked article. You will notice on this site that if you are signed in but somehow get to an url with only http and not https then you don't appear to be logged in because I have it configured to protect the cookies by only passing them on secure requests. 

Hope that helps,

Joe

6/8/2012 8:53:26 AM
Gravatar
Total Posts 81
Website Hobbyist and Software Engineer
Proud member of the mojoPortal team
www.doan.me

Re: More SSL Questions

Joe,

Thanks for the reply ... all great stuff. I am not sure if  you just missed my last comment about the RSS from mojoPortal Blogs. Is there anyway to make that content secure? Right now I have an RSS feed of your blog that you have here on this site. On my site the browser always throws the unsecure content warning when trying to view that RSS feed on a secure page.

Thanks again!

Kerry

6/11/2012 7:24:17 AM
Gravatar
Total Posts 18439

Re: More SSL Questions

Hi Kerry,

I'll fix it so that the link for the feed url always uses http instead of https to prevent warnings when a user clicks the link.

However its not possible to ensure that a secure page using feed manager won't cause browser warnings since it consumes content from remote sites that may include insecure items in the consumed content. ie any images or iframes or anything with src=http: in the content will cause browser warnings if the containing page is using https.

Best,

Joe

You must sign in to post in the forums. This thread is closed to new posts.