3

I'd like to know if Kentico has a "best practice" way to ensure the Requires SSL property is set as Yes on a specific Page Type, without inheriting the property from the Parent page.

I have researched this and have implemented a working solution (below) but am interested to know if there is a better "out of the box" solution that I may have overlooked.

We are using Kentico v8.2 with ASPX + Portal Page Types.

Our technical requirements

  1. Serve the parent listing page over HTTP or HTTPS
  2. Serve the child pages over HTTPS only

Our use case scenario

The user browses a page listing Job Vacancies. The user opens a specific Job Vacancy page which contains an Application Form. The user is confident entering personal details into the Application Form as the page is served over a secure connection.

Considered solutions

The closest "out of the box" solution I could find was to set the parent listing page to Require SSL = Yes and then inherit this on the child pages, however this doesn't meet our technical requirement to allow the listing page to be served over HTTP.

I also decided against manually setting Requires SSL = Yes on each child page as I didn't want to place this burden on the CMS Editors, give them more permissions than necessary and open it up to human error.

Current solution

So I ended up writing a Custom Event handler to set the Requires SSL property on Document Insert or Document Update events.

Initially I was doing this based on Page Type (Node.ClassName) but changed it to be based on a Field value so that I could more easily apply this to other Page Types by simply adding a field without refactoring my code and deploying a DLL.

[CustomEvents]
public partial class CMSModuleLoader
{
    private class CustomEvents : CMSLoaderAttribute
    {
        public override void Init() { 
            DocumentEvents.Insert.Before += Document_Insert_Before;
            DocumentEvents.Update.Before += Document_Update_Before;
        }

        void Document_Insert_Before(object sender, DocumentEventArgs e)
        {
            SetRequiresSSL(e.Node);
        }

        void Document_Update_Before(object sender, DocumentEventArgs e)
        {
            SetRequiresSSL(e.Node);
        }

        private void SetRequiresSSL(TreeNode node)
        {
            //if RequiresSecureConnection field is equal to true
            if (node.GetBooleanValue("RequiresSecureConnection", false))
            {
                //if Requires SSL is not Yes
                if (node.RequiresSSL != 1)
                {
                    //set Requires SSL
                    node.RequiresSSL = 1;
                }
            }
        }
    }
}

Related urls

Darren S
  • 920
  • 5
  • 15
  • So, you don't have to answer, but I'm very curious. Why aren't you just encrypting traffic in the first place? – Jerreck Dec 17 '15 at 04:34
  • @Jerreck Do you mean why don't we just serve the entire website over HTTPS? It would solve the problem but I understand there are some valid reasons not to do that http://stackoverflow.com/questions/2746047/why-not-use-https-for-everything – Darren S Dec 17 '15 at 08:14
  • 2
    @DarrenS The 3 reason of the accepted answer are not valid any more, and the *only* protection against MITM it to use https for the full website and use HSTS (preloaded if possible) – Tom Dec 17 '15 at 08:32
  • 1
    @Tom I agree that the answer I referenced is old. You raise valid points and I accept there are some good reasons to move to full HTTPS not least of which is the push from Google https://moz.com/blog/seo-tips-https-ssl, I'm sure you can appreciate that before we move to full HTTPS we'd have technical and SEO implications to consider which aren't in scope at this stage. While the question I asked was about leveraging a specific feature in Kentico CMS, I do appreciate the comment, thank you. – Darren S Dec 17 '15 at 10:15

1 Answers1

5

You can achieve out of the box without any customisation and still make it editable if you use the system attribute on the page type:

  • Open you page type
  • add a new field
  • select Field type : Page field
  • select Group : Node fields
  • select field name : RequiresSSL
  • enter a default value : 1 (which is YES for this type)
  • Deselect the Display field in editing form so the editor wont see it.

requiresSSL

This way all pages created based on this page type will have the RequiresSSL preselected. And it's still adjustable.

David

DTK
  • 470
  • 1
  • 3
  • 7
  • Is there a way to force it to always be Yes? By using a default field = 1 it will set it to Yes on insert but if someone (with permission) changed the RequireSSL value in Pages > Properties > Security > RequireSSL to No it would no longer be served over HTTPS. – Darren S Dec 17 '15 at 10:51
  • Well you have the "Validation" but this is only available if you display the field in the editing form. You could make the editing control a label (so it's not adjustable). Otherwise your document event in code is a good alternative. – DTK Dec 17 '15 at 10:57