SSL and HTTPS have been the hot topic since Google began to use HTTPS as a signal in their search rankings.
Fortunately, Sitecore really does not care if it runs in HTTP or HTTPS, so most of the configurations are purely .NET related. Here is what you do if you have a single domain Sitecore installation, or a Sitecore installation that shares the root domain (en.mydomain.com/de.mycomain.com/…).
STEP 1: OBTAIN A SSL CERTIFICATE AND INSTALL IT ON YOUR SERVER
This usually involves a hosting company. If you are lucky enough (as I am) to know a hosting company that takes responsibility and provide a great service, this requires sending a mail and wait for the answer. If not you can follow one of the many guides online on how to obtain and install the SSL certificate.
STEP 2: MODIFY FORMS AUTHENTICATION
In web.config, add your domain to the forms authentication. This is pure .NET, nothing to do with Sitecore. Replace the MYCOMAIN.COM with your own domain.
<authentication mode="None"> <forms domain=".MYDOMAIN.COM" timeout="43200" slidingExpiration="true" name=".ASPXAUTH" cookieless="UseCookies" /> </authentication>
STEP 3: MODIFY HTTPCOOKIES
In web.config, add your domain and set requireSSL in the httpCookies property. Again, this is .NET, not Sitecore specific. This binds any cookies to the root domain we specify, and secures the cookie (no cookies are sent to the server unless the connection is secure (HTTPS)).
<httpCookies httpOnlyCookies="true" requireSSL="true" lockItem="true" domain=".YOURDOMAIN.COM" />
STEP 4: CHANGE THE SCHEME PROPERTY IN THE SITES SECTION
In Sitecore.config, set the scheme=”https” in your sites section. This is used by Sitecore when URL’s are generated, and ensures that when a fully qualified URL is generated, the URL is prefixed with https://
<site name="website"
scheme="https"
hostName="YOURDOMAIN.COM"
targetHostName="YOURDOMAIN.COM"
... ...
/>
STEP 5: ALLOW YOUR IIS OR LOAD BALANCER TO REDIRECT ALL REQUESTS FROM HTTP TO HTTPS
The site as configured now will still serve pages using the HTTP protocol. But any cookies will not be persisted unless we use the proper domain and proper scheme. So you need to redirect any HTTP request to HTTPS. This is always a fun coding project, but can also be achieved by configuring the load balancer, or using the IIS URL Rewrite Module.
MORE INFO
- HTTPS In Sitecore by Anders Laub
- A Recipe for Solid SSL in Sitecore by Brainjocks
- AUTOMATING HOST NAMES AND SSL CERTIFICATES FOR SITECORE INSTANCES by Jeremy Davis
- Google is about to start favoring HTTPS sites in search results by TheNextWeb
- How To Set Up an HTTPS Service in IIS by Microsoft
- Redirect from HTTP to HTTPS using the IIS URL Rewrite module by Microsoft
FWIW, you can also specify requireSSL on the Forms node too, to secure the .ASPXAUTH cookie.