Forums (Obsolete)

Member

matt-awg - 10/1/2013 10:07:59 AM

SSL submission of logon mini form

Hello,

Is it possible to secure the "logon mini form" web part so that it requires SSL when submitting the form? I searched the forums and the documentation:

http://devnet.kentico.com/docs/webparts/index.html?logonminiform_overview.htm

and I can't seem to find a way. This is on the header of every page of the site so I cannot require SSL on the entire site. I was hoping that on the non-SSL pages I could still require the form submission be done via SSL. Is this a limitation of the .Net framework having a single server side form on the page? Is there anyway to do this?

Thanks,
Matt

Kentico Legend

Brenden Kehren - 10/1/2013 11:46:19 AM

RE:SSL submission of logon mini form

Why can't you require SSL on the entire site? Is your connection from your web server to your SQL server encrypted or secured? You might also check into that. People who know about security are use to seeing https, a green address bar, a padlock, etc. when you log in to any site. If your site has a logon form in the header then I'd suggest putting SSL on your entire site because the users can log in on any page. It's not a limitation of asp.net, Kentico or anything else; it's simply your design requirement.

One thing you could do is create a button that says login and it opens a modal window with an iframe in it to your secured page with the login form on it. This way you still get the placeholder for it in the header. You could also place an iframe on master page as well with the same scenario as I just mentioned. Seems like a bit of a hack though I think. The users will see there isn't https and might question that even though it is https. Plus you might get some errors on the page stating the content is secured and some isn't.

I'd recommend the whole site be https

Member

matt-awg - 10/1/2013 3:05:36 PM

RE:SSL submission of logon mini form

It's not a limitation of asp.net, Kentico or anything else; it's simply your design requirement.

I don't understand that statement... If I were doing this in ASP, or PHP, I would make two forms on the site. One in the header that submitted via SSL and one on other parts of pages that need a form, like a cart, or contact form, etc. Even if I was making this via a custom ASP.NET solution, I would make a second (non-server side) form (outside the main server side form in the master page since you can't nest forms) for this login form in the header. This "logon mini form" is not capable of doing this, and my searching finds no other way of doing this in kentico, hence it is a limitation of Kentico right?

Anyway, I don't want to argue that point with you, I want to thank you for the idea of just securing the entire site. The client was happy with that approach. I was concerned about possible performance issues (which is why I normally only secure sections of sites that are in need of "securing") due to the overhead of SSL on the server but this is not that high traffic a site so I am not really concerned.

Thanks,
Matt

Kentico Legend

Brenden Kehren - 10/2/2013 8:11:43 AM

RE:SSL submission of logon mini form

I apoligize Matt, I totally forgot about classic asp and being able to have 2 or more forms on a page (been 7 or 8 years since I worked with classic asp). So I'll retract my statement, it is a limitation of asp.net. What I meant by saying that is it is your or your clients requirement to have that login form in the header (when it could be placed other places that wouldn't require your whole site to be ssl).

Just because you're search doesn't return any results exactly or an example of what you want to do doesn't mean its a limitation, its simply something someone hasn't done yet. If I've learned anything in my years as a programmer, it's everything is possible.

From a performance and SSL standpoint, you can talk with people all day long about performance this and performance that but what it ultimately comes down to is if you're more concerned about security then performance, then performance takes its place second in line after security. There are other things you can do to increase performance that far out-weigh the impact of SSL on your site many Kentico MVP's have blogged about this.

Good luck!


Kentico Support	kentico_filipl - 10/17/2013 5:03:10 AM RE:SSL submission of logon mini form Hi Matt, I agree with FroggEye. By default, Kentico CMS supports only securing pages through SSL, not web parts so from my point of view, the best way to implement SSL would be to secure the entire site the way it was already suggested by FroggEye. Best regards, Filip Ligac