I am working on a website, where I need a secure contactform, so users of the website can send informations like social securitynumber secure (https). I have'nt been able to find anything either on forum.umbraco or our.umbraco (which, by the way, is pretty awesome!), so my next step is this post...
I have bought hosting with mochahost.com with 128bit Shared SSL included (and Plesk controlpanel). The support at mochahost.com says that all I need is to place the contactform-file inside the Secure Documents-folder, but I can't see how to approach it, since my contactform is located in the Usercontrol-folder, and as far as I know, I can't just move the usercontrol to the secure-folder...
I hope that one of you guys and girls can help me with a few pointers on how to handle it.
Thanks!
Version(s): Umbraco 4.0.2.1 with a fairly edited Runway installed! ASP.NET: The controlpanel says 2.0 (butI had to install the 3.5 web.config! The only way I could get the website to work)
You shouldn't need to move the usercontrols since the usercontrols aren't accessed directly by any url. Instead, you'll use a macro that calls the .net control for the contact form (put the macro on the template for the contact form, or in the richtext editor on the contact form's page).
Then, simply link to the contact form and specify that you want https: instead of http: when you make the link.
You might want to use a rewrite rule or some other checking (perhaps in the contact form control itself) to redirect to https if the request comes in on http only.
This way is problematic with the kind of setup Helm expects - Douglas straightforward solution I think would only work with if you had your own SSL cert installed so you could access https://www.yourdomain.com
The only easy way round this I can think of is to place just a standalone .Net form page/code inside this shared SSL folder, then use an Iframe to include it in the contact page. A bit of a pants solution as far as usability is concerned but definitely a work-around? (The contents of the iframe will then be secured)
I'm not an expert in url rewriting (though there are many in the community who are), but what I was thinking was something like that recommended by 'Kalpa' at http://forum.umbraco.org/yaf_postst3224p2_SSL-and-umbraco.aspx. You may also find that the approach within IIS noted by 'JHodgkinson' would be appropriate.
That forum thread is about securing the /umbraco/umbraco.aspx page, but the theory would be the same for any page.
I also wrote a little library to extend NiceURL so I could call that from my code and XSLT that could write a fully qualified https path depending on paramenters passed into it.
Doug,
You said "Then, simply link to the contact form and specify that you want https: instead of http: when you make the link." Are you saying there is an option when creating a link in content to choose https? I can't see this if it exists. This was the only thing I couldn't automate for my users which is why I set up the rewriting rules.
It would be nice for Umbraco to have HTTPS built into it for content and not just the Umbraco back-end. So that NiceURL would generate links based on a page setting....
Looking at the support docs for your host you should be able to access your site through their shared SSL.(http://www.mochasupport.com/kayako/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=326).
You could also get a static IP and a private SSL security specifically for your site (so you could use https://yourdomain.com as well as http://) for only a few dollars a month.
I don't know your exact setup but I figure something like this may work using the shared SSL: (change the contact-form-page.aspx and servername.mochahost... parts)</p>
<pre class="prettyprint"><p><span class="pln"> </span><span class="tag"><add</span><span class="pln"> </span><span class="atn">name</span><span class="pun">=</span><span class="atv">"EnforceSSLForContactPage"</span><span class="pln"> </span><span class="atn">virtualUrl</span><span class="pun">=</span><span class="atv">"http://(.*)/contact-form-page.aspx"</span><span class="pln"> </span><span class="atn">rewriteUrlParameter</span><span class="pun">=</span><span class="atv">"ExcludeFromClientQueryString"</span><span class="pln"> </span><span class="atn">destinationUrl</span><span class="pun">=</span><span class="atv">"https://servername.mochahost.com/~yourdomainname.com/contact-form-page.aspx"</span><span class="pln"> </span><span class="atn">ignoreCase</span><span class="pun">=</span><span class="atv">"true"</span><span class="pln"> </span><span class="atn">redirect</span><span class="pun">=</span><span class="atv">"Domain"</span><span class="pln"> </span><span class="atn">redirectMode</span><span class="pun">=</span><span class="atv">"Permanent"</span><span class="tag">/></span>
Mochahost looks like quite a good option for shared SSL - I thought they would have had a separate folder that you upload to that is accessible via the shared SSL, it appears in fact that you can access your entire site through the shared SSL (allowing you to do the rewrite and keep everything in Umbraco).
Douglas - the alternate URL isn't going to cause any problems with Umbraco is it?
Secure contactform
Hi
I am working on a website, where I need a secure contactform, so users of the website can send informations like social securitynumber secure (https). I have'nt been able to find anything either on forum.umbraco or our.umbraco (which, by the way, is pretty awesome!), so my next step is this post...
I have bought hosting with mochahost.com with 128bit Shared SSL included (and Plesk controlpanel). The support at mochahost.com says that all I need is to place the contactform-file inside the Secure Documents-folder, but I can't see how to approach it, since my contactform is located in the Usercontrol-folder, and as far as I know, I can't just move the usercontrol to the secure-folder...
I hope that one of you guys and girls can help me with a few pointers on how to handle it.
Thanks!
Version(s):
Umbraco 4.0.2.1 with a fairly edited Runway installed!
ASP.NET: The controlpanel says 2.0 (butI had to install the 3.5 web.config! The only way I could get the website to work)
Peter Lippert
You shouldn't need to move the usercontrols since the usercontrols aren't accessed directly by any url. Instead, you'll use a macro that calls the .net control for the contact form (put the macro on the template for the contact form, or in the richtext editor on the contact form's page).
Then, simply link to the contact form and specify that you want https: instead of http: when you make the link.
You might want to use a rewrite rule or some other checking (perhaps in the contact form control itself) to redirect to https if the request comes in on http only.
Or have I misunderstood what you're asking?
cheers,
doug.
I think I understand how your host is doing this - using a single SSL site off their domain, ie. https://secure.yourhost.com/yoursecurefolder
This way is problematic with the kind of setup Helm expects - Douglas straightforward solution I think would only work with if you had your own SSL cert installed so you could access https://www.yourdomain.com
The only easy way round this I can think of is to place just a standalone .Net form page/code inside this shared SSL folder, then use an Iframe to include it in the contact page. A bit of a pants solution as far as usability is concerned but definitely a work-around? (The contents of the iframe will then be secured)
brainfart - I meant Umbraco not Helm in the second paragraph
Hi
I thought about the iframe-workaround as well... But its not pretty.
Doug you say, just link to https://domain.dk/contact.aspx , right? But the 'rewrite rule' i don't understand (sorry :-). What do you mean by that?
Mayby I should say, that I'm quite new with Umbraco :-)
I'm not an expert in url rewriting (though there are many in the community who are), but what I was thinking was something like that recommended by 'Kalpa' at http://forum.umbraco.org/yaf_postst3224p2_SSL-and-umbraco.aspx. You may also find that the approach within IIS noted by 'JHodgkinson' would be appropriate.
That forum thread is about securing the /umbraco/umbraco.aspx page, but the theory would be the same for any page.
Hope that helps.
cheers,
doug.
This is the URL rewriting rule I used for ensuring https:
I also wrote a little library to extend NiceURL so I could call that from my code and XSLT that could write a fully qualified https path depending on paramenters passed into it.
Doug,
You said "Then, simply link to the contact form and specify that you want https: instead of http: when you make the link." Are you saying there is an option when creating a link in content to choose https? I can't see this if it exists. This was the only thing I couldn't automate for my users which is why I set up the rewriting rules.
It would be nice for Umbraco to have HTTPS built into it for content and not just the Umbraco back-end. So that NiceURL would generate links based on a page setting....
Cheers
Paul
Looking at the support docs for your host you should be able to access your site through their shared SSL.(http://www.mochasupport.com/kayako/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=326).
You could also get a static IP and a private SSL security specifically for your site (so you could use https://yourdomain.com as well as http://) for only a few dollars a month.
I don't know your exact setup but I figure something like this may work using the shared SSL: (change the contact-form-page.aspx and servername.mochahost... parts)</p> <pre class="prettyprint"><p><span class="pln"> </span><span class="tag"><add</span><span class="pln"> </span><span class="atn">name</span><span class="pun">=</span><span class="atv">"EnforceSSLForContactPage"</span><span class="pln">
</span><span class="atn">virtualUrl</span><span class="pun">=</span><span class="atv">"http://(.*)/contact-form-page.aspx"</span><span class="pln">
</span><span class="atn">rewriteUrlParameter</span><span class="pun">=</span><span class="atv">"ExcludeFromClientQueryString"</span><span class="pln">
</span><span class="atn">destinationUrl</span><span class="pun">=</span><span class="atv">"https://servername.mochahost.com/~yourdomainname.com/contact-form-page.aspx"</span><span class="pln">
</span><span class="atn">ignoreCase</span><span class="pun">=</span><span class="atv">"true"</span><span class="pln">
</span><span class="atn">redirect</span><span class="pun">=</span><span class="atv">"Domain"</span><span class="pln">
</span><span class="atn">redirectMode</span><span class="pun">=</span><span class="atv">"Permanent"</span><span class="tag">/></span>
Try that! Just tested it on my latest Umbraco local dev site and it works ok for the rewrite
Mochahost looks like quite a good option for shared SSL - I thought they would have had a separate folder that you upload to that is accessible via the shared SSL, it appears in fact that you can access your entire site through the shared SSL (allowing you to do the rewrite and keep everything in Umbraco).
Douglas - the alternate URL isn't going to cause any problems with Umbraco is it?
is working on a reply...