Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Peter Lippert 12 posts 31 karma points
    Jul 08, 2009 @ 16:15
    Peter Lippert
    0

    Secure contactform

    Hi

    I am working on a website, where I need a secure contactform, so users of the website can send informations like social securitynumber secure (https). I have'nt been able to find anything either on forum.umbraco or our.umbraco (which, by the way, is pretty awesome!), so my next step is this post...

    I have bought hosting with mochahost.com with 128bit Shared SSL included (and Plesk controlpanel).  The support at mochahost.com says that all I need is to place the contactform-file inside the Secure Documents-folder, but I can't see how to approach it, since my contactform is located in the Usercontrol-folder, and as far as I know, I can't just move the usercontrol to the secure-folder...

     

    I hope that one of you guys and girls can help me with a few pointers on how to handle it.

    Thanks!


    Version(s):
    Umbraco 4.0.2.1 with a fairly edited Runway installed!
    ASP.NET: The controlpanel says 2.0 (butI had to install the 3.5 web.config! The only way I could get the website to work)

     

    Peter Lippert

  • Douglas Robar 3570 posts 4711 karma points MVP ∞ admin c-trib
    Jul 08, 2009 @ 16:25
    Douglas Robar
    0

    You shouldn't need to move the usercontrols since the usercontrols aren't accessed directly by any url. Instead, you'll use a macro that calls the .net control for the contact form (put the macro on the template for the contact form, or in the richtext editor on the contact form's page).

    Then, simply link to the contact form and specify that you want https: instead of http: when you make the link.

    You might want to use a rewrite rule or some other checking (perhaps in the contact form control itself) to redirect to https if the request comes in on http only.

    Or have I misunderstood what you're asking?

    cheers,
    doug.

  • stewart.whiting 15 posts 44 karma points
    Jul 08, 2009 @ 17:11
    stewart.whiting
    0

    I think I understand how your host is doing this - using a single SSL site off their domain, ie. https://secure.yourhost.com/yoursecurefolder

    This way is problematic with the kind of setup Helm expects - Douglas straightforward solution I think would only work with if you had your own SSL cert installed so you could access https://www.yourdomain.com

    The only easy way round this I can think of is to place just a standalone .Net form page/code inside this shared SSL folder, then use an Iframe to include it in the contact page. A bit of a pants solution as far as usability is concerned but definitely a work-around? (The contents of the iframe will then be secured)

  • stewart.whiting 15 posts 44 karma points
    Jul 08, 2009 @ 17:13
    stewart.whiting
    0

    brainfart - I meant Umbraco not Helm in the second paragraph

  • Peter Lippert 12 posts 31 karma points
    Jul 08, 2009 @ 20:45
    Peter Lippert
    0

    Hi

    I thought about the iframe-workaround as well... But its not pretty.

    Doug you say, just link to https://domain.dk/contact.aspx , right? But the 'rewrite rule' i don't understand (sorry :-). What do you mean by that?

     

    Mayby I should say, that I'm quite new with Umbraco :-)

  • Douglas Robar 3570 posts 4711 karma points MVP ∞ admin c-trib
    Jul 08, 2009 @ 22:15
    Douglas Robar
    0

    I'm not an expert in url rewriting (though there are many in the community who are), but what I was thinking was something like that recommended by 'Kalpa' at http://forum.umbraco.org/yaf_postst3224p2_SSL-and-umbraco.aspx. You may also find that the approach within IIS noted by 'JHodgkinson' would be appropriate.

    That forum thread is about securing the /umbraco/umbraco.aspx page, but the theory would be the same for any page.

    Hope that helps.

    cheers,
    doug.

  • Paul Blair 466 posts 731 karma points
    Jul 09, 2009 @ 00:12
    Paul Blair
    0

    This is the URL rewriting rule I used for ensuring https:

        <add name="EnforceSSLForLoginPage"
          virtualUrl="http://(.*)/login"
          rewriteUrlParameter="ExcludeFromClientQueryString"
          destinationUrl="https://$1/login"
          ignoreCase="true"
          redirect="Domain"
          redirectMode="Permanent"/>

    I also wrote a little library to extend NiceURL so I could call that from my code and XSLT that could write a fully qualified https path depending on paramenters passed into it.

    Doug,

    You said "Then, simply link to the contact form and specify that you want https: instead of http: when you make the link." Are you saying there is an option when creating a link in content to choose https? I can't see this if it exists. This was the only thing I couldn't automate for my users which is why I set up the rewriting rules.

    It would be nice for Umbraco to have HTTPS built into it for content and not just the Umbraco back-end. So that NiceURL would generate links based on a page setting....

    Cheers

    Paul

     

  • stewart.whiting 15 posts 44 karma points
    Jul 09, 2009 @ 14:29
    stewart.whiting
    0

    Looking at the support docs for your host you should be able to access your site through their shared SSL.(http://www.mochasupport.com/kayako/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=326).

    You could also get a static IP and a private SSL security specifically for your site (so you could use https://yourdomain.com as well as http://) for only a few dollars a month.

     

    I don't know your exact setup but I figure something like this may work using the shared SSL: (change the contact-form-page.aspx and servername.mochahost... parts)</p> <pre class="prettyprint"><p><span class="pln">    </span><span class="tag"><add</span><span class="pln"> </span><span class="atn">name</span><span class="pun">=</span><span class="atv">"EnforceSSLForContactPage"</span><span class="pln">
          </span><span class="atn">virtualUrl</span><span class="pun">=</span><span class="atv">"http://(.*)/contact-form-page.aspx"</span><span class="pln">
          </span><span class="atn">rewriteUrlParameter</span><span class="pun">=</span><span class="atv">"ExcludeFromClientQueryString"</span><span class="pln">
          </span><span class="atn">destinationUrl</span><span class="pun">=</span><span class="atv">"https://servername.mochahost.com/~yourdomainname.com/contact-form-page.aspx"</span><span class="pln">
          </span><span class="atn">ignoreCase</span><span class="pun">=</span><span class="atv">"true"</span><span class="pln">
          </span><span class="atn">redirect</span><span class="pun">=</span><span class="atv">"Domain"</span><span class="pln">
          </span><span class="atn">redirectMode</span><span class="pun">=</span><span class="atv">"Permanent"</span><span class="tag">/></span>

     

     

  • stewart.whiting 15 posts 44 karma points
    Jul 09, 2009 @ 14:34
    stewart.whiting
    0
    <add name="EnforceSSLForContactPage"
          virtualUrl="http://(.*)/contact-form-page.aspx"
          rewriteUrlParameter="ExcludeFromClientQueryString"
          destinationUrl="https://servername.mochahost.com/~yourdomainname.com/contact-form-page.aspx"
          ignoreCase="true"
          redirect="Domain"
          redirectMode="Permanent"/>



    Try that! Just tested it on my latest Umbraco local dev site and it works ok for the rewrite

  • stewart.whiting 15 posts 44 karma points
    Jul 09, 2009 @ 14:40
    stewart.whiting
    0

    Mochahost looks like quite a good option for shared SSL - I thought they would have had a separate folder that you upload to that is accessible via the shared SSL, it appears in fact that you can access your entire site through the shared SSL (allowing you to do the rewrite and keep everything in Umbraco).

    Douglas - the alternate URL isn't going to cause any problems with Umbraco is it?

Please Sign in or register to post replies

Write your reply to:

Draft