Per User SSL Requirement

If you have questions about using mojoPortal, you can post them here.

You may want to first review our site administration documentation to see if your question is answered there.

This thread is closed to new posts. You must sign in to post in the forums.
1/22/2011 2:47:00 PM
Gravatar
Total Posts 9

Per User SSL Requirement

I want regular users to login on unencrypted connection, and admins to login over SSL.

1. Is there any way to do this?

2. If you don't know, then is there any way to enable SSL pages without requiring SSL based connection for login?

Thanks.

1/22/2011 4:08:17 PM
Gravatar
Total Posts 2254

Re: Per User SSL Requirement

Hi,

1. Nope, no way to do this. One simple reason is that the application would have no way to know that if the visitor is an admin or regular user until after they login.

2. With mojoPortal's features, no. You could do this with the URLRewriter Module for IIS 7+ but I am not sure why you would want to because if you don't encrypt the login, a hacker could gain access to your entire site which would negate having any other pages secured.

If you have a certificate and can secure your site, why do you care that non-admin users login securely?

HTH,
Joe D.

1/22/2011 5:28:31 PM
Gravatar
Total Posts 9

Re: Per User SSL Requirement

Odd restriction, I think. I found a work-around : use the new User Sign-in module, put it on an non-encrypted page, set some property in user.config so that the BIG RED WARNING is not displayed. The regular SSL log-in link is still available for admins and whoever wants it.

Really, Mojo should not be redirecting SSL traffic to non-SSL. No other general purpose web application in the world would do that.

1/22/2011 5:35:58 PM
Gravatar
Total Posts 9

Re: Per User SSL Requirement

>>2. With mojoPortal's features, no. You could do this with the URLRewriter Module for IIS 7+ but I am not sure why you would >>want to because if you don't encrypt the login, a hacker could gain access to your entire site which would negate having any other >>pages secured.

Well, my authenticated users have only read only rights. No modify. The worst that could happen is that a malefactor would see content not intended for public use, about which I'm not much concerned.

>>If you have a certificate and can secure your site, why do you care that non-admin users login securely?

Because I use a self-signed cert, which prompts browser SCARES for people not immune to them :)

 

1/23/2011 10:43:13 AM
Gravatar
Total Posts 18439

Re: Per User SSL Requirement

Sorry, I understand you are trying to get around your self signed cert but that is not going to work. My advice is buy an SSL certificate, places like rapidssl.com have pretty low prices for budget SSL certificates.

As Joe D said there is no way to make it use ssl for some users and not others particularly for sign in since it doesn't know who the user is when they have not yet signed in.

If SSL is available it will be automatically used on important security pages like the login and register and user profile pages. Also if SSL is available you can configure in site settings to require SSL on all pages or you can enable it on a page by page basis from page settings.

There are good reasons to redirect out of SSL on pages that are not configured for SSL, for example any script or image or iframe that uses src="http://someurl.png or whatever is going to cause a browser warning if the outer page is using ssl and the embedded content is not, so it requires more care with the content if you are designing pages to use ssl. Another reason is that using SSL is more work for the server so it is better to use it where intended and not use it where not intended.

Hope it helps,

Joe

1/23/2011 2:24:16 PM
Gravatar
Total Posts 2254

Re: Per User SSL Requirement

Hi,

You can also get Class 1 certificates for free from StartSSL. I have used them in the past without any problems.

Thanks,
Joe D.

1/23/2011 9:01:40 PM
Gravatar
Total Posts 9

Re: Per User SSL Requirement

Joe,
>Sorry, I understand you are trying to get around your self signed cert but that is not going to work.

No, I'm trying (and have succeeded with the above described work-around) to allow users to login to my web site using an unencrypted connection, while still providing encrypted access where I deem it necessary. If you had not supplied the Sign-In module to accomplish this, I was about ready to do it myself. Thanks!

>My advice is buy an SSL certificate, places like rapidssl.com have pretty low prices for budget SSL certificates.

Really, I would have no use for a paid certification, except to make idiotic browsers happy. My users trust my word that my domain is owned by me. They don't require someone else's certification. Fact is, they'd probably laugh to think they should trust veri-sign and IE more than they trust me.

The whole trust supply chain of so called "certificates" is simply subterfuge and a great income generator for those collecting fees. The only reason I can see to "buy" one is to make someone else a little richer and me a little poorer. When I connect to visa.com, I trust my typing more than I trust a CA, whether or not SSL is employed. All a CA says is that https://visa.com is as good as connecting to http://visa.com, an assertion my 5 year old can make with equal authority based on the simple rules of logic.

The annoying part of all this is that browsers present utterly non-sensical or misleading messages to people using them with SSL unless the site has bought into the whole CA scam. I've read the messages: they defy all rules of logic (FF) or are misleading (IE). It is truly bizarre, unless you ascribe collusion to the whole process.

>>As Joe D said there is no way to make it use ssl for some users and not others particularly for sign in since it doesn't know who the user is when they have not yet signed in.

Well, you guys often say "there is no way". I can think of three ways to provide it, and there are other ways to secure login without using SSL.

1. Have a login that takes user name only, looks it up, and if the user is an admin, send him to an SSL page for his password.
2. Use the method I described above. Mojo users construct two separate links essentially.
3. Mojo itself could be modified to allow it.

And finally, there are javascripts available on the net for encrypting post data that can be unencrypted by a web app but not by anyone else. The SSL requirement then disappears. But that would require Mojo mods too.

>>If SSL is available it will be automatically used on important security pages like the login and register and user profile pages. 

That is a nice feature for out of the box configuration, and the way it should be, but is patronizing to say it must be so.

>>There are good reasons to redirect out of SSL on pages...

Again, a default configuration might suggest this, but there are perfectly good reasons not to redirect as well. Since you are all business minded: browser warnings about mixed encrypted/unencrypted content would suggest to me, the site owner, that I had not set something up properly. With the redirect, I totally miss that information, unless I closely watch for a little lock icon on the status bar, or the exsistence of a tiny little "s" in the address bar.

Furthermore, redirecting my site's encrypted traffic to unencrypted behind my back, or without my permission, seems like improper etiquette. If Apache or IIS did that, they'd be out of business overnight :)

>>Hope it helps,

Well, Mojo does help, otherwise I would not be using it! Thanks for making it freely available. It is a decent product that I can supply to people without having to fuss with much, despite its odd internal workings.

1/23/2011 9:09:09 PM
Gravatar
Total Posts 9

Re: Per User SSL Requirement

>> You can also get Class 1 certificates for free from StartSSL. I have used them in the past without any problems.

>>Thanks,
>>Joe D.

I would not call a 37 page legal agreement "free" :)

I ran away for the sheer size of it...

I used to know of a land of the free and a home of the brave where a person's word and his handshake was all that was required to do business...I wonder whatever happened to it? No doubt I'll tell sentimental stories about it to my boy as he grows up. Maybe he or his generation will get to see it again.

 

1/24/2011 6:06:17 AM
Gravatar
Total Posts 18439

Re: Per User SSL Requirement

I'm glad you figured out a way to do want and sorry you found my help to be "patronizing", and sorry you think mojoPortal giving you control over which pages to encrypt and which not too encrypt is "odd internal workings".

I think your use case is an unusual one and I totally disagree with most of your long rant about SSL but I don't have time or interest to argue with you about it. You sound like a tough customer to me, not easily satisfied even when you use free products and get free help, I'll think carefully before patronizing you again with my help.

You must sign in to post in the forums. This thread is closed to new posts.