site 1 with ssl and site 2 without?

If you have questions about using mojoPortal, you can post them here.

You may want to first review our site administration documentation to see if your question is answered there.

This thread is closed to new posts. You must sign in to post in the forums.
7/6/2009 5:11:15 PM
Gravatar
Total Posts 11

site 1 with ssl and site 2 without?

I have two sites, one should be secure and the other not.

I just updated from 2.2.7.9 to 2.3.1.0  Before the update, the secure site was working exclusively on https which it is not doing anymore.  Many pages are presenting on http.  The second site is trying to login on https.  It should not as I do not have a certificate for that domain.  Have I missed something in the new web.config file?  What do I need to do to force all pages on site 1 to https and all pages on site 2 to http?

Thanks

7/7/2009 7:29:10 AM
Gravatar
Total Posts 18439

Re: site 1 with ssl and site 2 without?

It is not possible in the current version nor in any previous versions of mojoPortal to have some sites in a single installation use ssl and others not use ssl, because they all share the same Web.config file and the setting SSLIsAvailable is a global setting applied to all sites, so if true it will try to use ssl on login, register, user profile etc in all sites. This has always been true in mojoportal so there is no way it worked in previous versions.

Possibly in the future I will make this setting a little more granular so that 1 site could use ssl and all others not use ssl but in general you need separate IIS web sites for each domain that will use SSL because only 1 SSL certificate can be bound to a particular ip address and the ssl cert must match the domain. So there can only be one site in any single installation that can use ssl uless you use folder based sites so they are the same domain.

Hope it helps,

Joe

7/10/2009 9:51:15 AM
Gravatar
Total Posts 11

Re: site 1 with ssl and site 2 without?

We have the secured side of our mojoPortal installation integrated as one part of a larger site.  We made the security on our site use the same security as the mojoPortal in order to maintain a single sign-on.  Since the upgrade to 2.3.1.0, our left hand menu links link to http instead of https.  We need them to link to https in order to work within our overall security plan.  How do we make those links switch to https?

7/10/2009 9:57:13 AM
Gravatar
Total Posts 18439

Re: site 1 with ssl and site 2 without?

If you have an ssl certificate and you set SSLIsAvailable to true in Web.config/user.config, then you can set Require SSL on each page in page settings and it will make the links in the menu use https.

Hope it helps,

Joe

7/10/2009 10:10:28 AM
Gravatar
Total Posts 11

Re: site 1 with ssl and site 2 without?

Thank you. I had set the site setting to use SSL on all pages, but that aparently did not do the trick.  Turning off the site setting and turning it on for each individual page fixed it.

Thanks

7/10/2009 10:28:41 AM
Gravatar
Total Posts 18439

Re: site 1 with ssl and site 2 without?

I consider it a bug that the global setting doesn't make the link use https and will fix that for the next release. I believe the global setting would enforce it with a redirect to https even if the links were not rendering as https though.

Thanks for pointing out this issue.

Best,

Joe 

8/2/2009 5:53:10 PM
Gravatar
Total Posts 221

Re: site 1 with ssl and site 2 without?

I don't know if possible but here's something to think about (keeping in mind a single install with multiple child sites & using SSL).

What if a generic SSL cert is placed on the IIS web for mojoPortal and it has a generic domain name such as securedomain.com. Would it be possible someday to allow sites to share that domain just for certain pages? Say the user has a donation page and they don't care if the URL changes to securedomain.com just for that page. Ideally of course the skin would still brand that page and it would flow like the other pages in their site, but just for those secure pages they share a domain name and SSL cert.

I do this now in a manual sort of way using IIS, virtual directories and a shared SSL/Domain name. Example:
https://www.secure-ssl-web.com/1020/getinvolved/donations/default.asp

I can fully appreciate how complex and impossible this might be, but I just wanted to throw it out there in case anyone with more knowledge than me has a good idea. It sure would be a HUGE benefit to have just one install and multiple sites being able to use SSL to some degree (while not requiring a SSL cert for each site). I'd use iFrames if it wasn't for the URL and little lock problem. While secure, users wouldn't visible know it unless they view the frame properties.

Joe mentioned in another post that you could have just two installs, one for SSL sites and one for non-SSL. That's a pretty good second best bet. My main concern there is that with my luck a month later one of those non-ssl site will want to add a SSL application and then I'm in trouble, LOL.

Thanks everyone, mojoPortal is simply amazing!!!!!

8/3/2009 8:06:54 AM
Gravatar
Total Posts 18439

Re: site 1 with ssl and site 2 without?

Hi,

Its possible to have a wildcard ssl cert for multiple host names at the same domain like www.somedomain.com, foo.somedomain.com etc.

And its easy to have a single ssl cert and multiple sites based on folders instead of hostnames because all the site have the same domain in that scenario.

There is no good way to share an SSL certificate among sites with different domains and that would defeat the purpose of SSL. An SSL certificate is one way to make sure a site is not being spoofed, it must match the site domain and the browser can validate the certificate against a chain of trust authorites. So it serves 2 purposes, encrypting the data over the wire and assuring the data is coming from or being posted to the correct site.

You can not login using a different domain than the site domain because authentication cookies are per host name/domain and one domain cannot set or read cookies for another domain, so logging in at securedomain.com is not going to log you in to somedomain.com. This is basic browser security and trying to find ways around it would just lead to an insecure model.

Best,

Joe

You must sign in to post in the forums. This thread is closed to new posts.