Require SSL on All Pages

This is the place to report bugs and get support. When posting in this forum, please always provide as much detail as possible.

Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum, do not report it as a bug.

This is the place to report bugs and get support

When posting in this forum, please try to provide as many relevant details as possible. Particularly the following:

What operating system were you running when the bug appeared?
What database platform is your site using?
What version of mojoPortal are you running?
What version of .NET do you use?
What steps are necessary to reproduce the issue? Compare expected results vs actual results.

You must sign in to post in the forums.

2/23/2025 8:14:10 AM

Eric Stoffers

Total Posts 227

View Posts

Gold Partner

Require SSL on All Pages

Mojo Version: 2.9.0.1

On the master site settings page:

/Admin/SiteSettings.aspx

There's a field disabled called "Require SSL on All Pages?" that I can't turn off and need to. I don't want SSL on development sites and since SSL is a slightly premium feature we charge for some clients opt out of SSL for smaller sites (maybe a few-page brochure site).

If I go into the database I can set that field to false and the site will work until I make any edit to the site settings and save. Then it defaults back to SSL required.

Table: mp_sites
Field: UseSSLOnAllPages

The site-config doesn't seem to have any effect on SSL for the child site.
<add key="SSLIsAvailable" value="false" />
<add key="Site4-SSLIsAvailable" value="false" />

It seems like if that field (UseSSLOnAllPages) wasn't disabled it would work fine, like it used to.

This changed a minor version back or two and seems to be an error....unless I'm doing something wrong. I don't think SSL should be required right off the bat and if a master site admin wants to turn it off for a variety of reasons (such as in development) it should be a configurable option in some way. A site.config setting would be fine as well.

2/25/2025 8:47:53 PM

Joe Davis

Total Posts 2247

View Posts

Re: Require SSL on All Pages

Hi Eric,

You should set "ForceSslOnAllPages" to false in your web/user.config. Additionally, if a site doesn't have SSL enabled (SiteX-SSLIsAvailable is false), then the Site Settings "Require SSL On All Pages" doesn't do anything.

It is a bug that the setting is shown on the settings for child sites when those child sites don't have SSL enabled, but it doesn't do anything.

This setting will disappear altogether soon. If SSL is enabled for a site, it should be enabled on all page of that site. The only reason the setting was created was because SSL used to slow sites down and could cause search index issues. Neither of those two things are true anymore so this setting is unnecessary.

You might want to look into Let's Encrypt, win-acme, and Certify The Web. Certificates don't have to cost anything anymore. We secure all sites these days. Search Engines dock your site rankings if you don't have SSL and web browsers try https before http unless you type/link specifically to http. You can even use automatic DNS verification to get wildcard certs.

Thank you,
Joe Davis

2/26/2025 9:48:41 AM

Eric Stoffers

Total Posts 227

View Posts

Gold Partner

Re: Require SSL on All Pages

I get what you are saying about SSL and I agree fully, and also use letsencrypt, but we still charge for the work and setup. Also, for development, I don't want to mess around with SSL until the site goes live.

There's still a bug though. I have these in my site.config which shouldn't be requiring SSL.

If you go to my demo site which is site 9:

http://rookana.proactivedesign.net/about

Try clicking through the main nav. The URLs are all HTTPS despite the site.config settings above. You can switch the page manually to non-https and it works, but the nav if clicked will take you back to https if you click on anything. So I think the bug is actually in the way the nav is rendering?? The page itself doesn't redirect, it's just the nav links don't seem to be looking at the config setting and instead looking at the DB field UseSSLOnAllPages.

If I go into the database and turn that UseSSLOnAllPages to false then the nav works as expected.

I really think SSL needs to be an option for testing and development or some kind of other issue with the certificate where it needs to be turned off temporarily even. Most other tools, stores, CMS systems allow for non-SSL. You woulnd't want to install the CMS and immediately nothing works because it's requiring SSL setup first.

2/26/2025 10:12:52 PM

Joe Davis

Total Posts 2247

View Posts

Re: Require SSL on All Pages

What do you have ForceSslOnAllPages set to?

It defaults to true in code, so unless you specifically set it to false, it could cause some issues if ssl is available on another site. I haven't had a chance to dive into it to be sure though. I know we use mojo in dev without ssl though.

Thanks,
Joe

2/27/2025 9:38:21 AM

Eric Stoffers

Total Posts 227

View Posts

Gold Partner

Re: Require SSL on All Pages

I did not know about this site.config setting:

ForceSslOnAllPages

Setting that false fixes everything. I can now set that per site. So on dev sites I don't need SSL setup which is ideal in my opinion.

So this works. I'd say it doesn't matter how going forward you set SSL per child site, just that there should probably be a way to clarify what has SSL and what doesn't. If the main nav wasn't looking at the UseSSLOnAllPages field that would also work it seems.

Thanks for the help, hope this helps others as well!

You must sign in to post in the forums.