Securing DNN with SSL
Posted by Tom on Tuesday, February 20, 2007 to DotNetNuke, SEO, DNN Module Reviews, DNN Tips and Tricks
Since the early days of DNN, the forums have been littered with questions on how to secure (https://) a DotNetNuke website. Until this day this feature does not come “out of the box,” meaning you’ll have to reach out to 3rd party implementations in the form of modules or write your own add-on.
In this post I’m attempting to give a brief overview of what it takes to provide secure communication between a web browser and a web server hosting a DNN-based website. I do this by sharing my experience in utilizing the two most widely know SSL modules on the market today: SSL_Module by Thomas Thorp and SSL Redirect by Sanibel Logic LLC. Since both modules include comprehensive documentation, I’m not going into detail on how to install or configure either one of them, but rather focus on unique characteristics each solution brings to the table.
My quest securing DotNetNuke started back in the DNN 2 days. Besides running an ecommerce site, I have maintained a car dealership website over the course of DNN 2, 3 and now 4. This site is a perfect example for the need of securing individual pages of a website as opposed to the entire site. For example, this page contains a credit application which screams for security due to the nature of the information being collected. Other common scenarios include securing the login as well as registration page.
When I first put the credit application live, the site was running DNN 2 and SSL_Module, which was the only module available at that time as far as I remember. The module installation was painless and after setting a few options, selective pages of my website were able to securely exchange information with the web server. Back then life was good.
Just recently however, I rebuild the dealership site on DNN 4 and ran into a road block with the SSL_Module. Technically the module still performs as advertised, but on secured pages you will end up with “unfriendly” URLs in the old style https://www.mysite.com/default.aspx?tabid=xx format. You may say “What’s the big deal?” and I agree, it’s better than an unsecured page. But as a web marketer I strongly focus on SEO and human friendly URLs.
A second issue I noticed is that the first page you request after navigation away from the secure page will also be served by an unfriendly URL in the above tabid=xx format, which will ultimately create duplicate content in the eyes of Google and company. I took my dilemma to Thomas Thorp via the Snowcovered Help Desk, but have yet to hear from him.
My search for a solution led me back to Snowcovered to take a closer look at SSL Redirect by Sanibel Logic LLC. This module runs completely off web.config and an additional XML configuration file called SSLRedirect.config. I personally prefer this approach as opposed to storing settings in the database. So besides adding a few lines to web.config and placing a .dll into your bin directory there is nothing to install. To specify pages to be secure you add the URL to the "UrlsIn" section of SSLRedirect.config. This is exactly the flexibility I was looking for and it eventually solved the issue of unfriendly URLs I encountered with the SSL_Module.
To wrap things up, both modules will get the job done. And after Mr. Thorp takes care of those “unlawful” URLs, it will be a matter of whether you prefer “click and save” setup and configuration over diving head first into XML files.
One last point I would like to make is that most problems that you may encounter while setting up SSL on your site are not caused by DNN or the modules mentioned in this post. Make sure you purchase a reputable certificate and install it properly on your IIS server (or have your hosting company take care of it.) Start installing either one of the above solutions only after you are able to successfully browse your site using https://www.mysite.com.
What have you learned while putting a lock on DotNetNuke? Let me know in the comments.
Permalink
7 Comments
RSS feeds
Email updates