Sitecore how to configure SSL (HTTPS) in your Sitecore config files

SSL and HTTPS have been the hot topic since Google began to use HTTPS as a signal in their search rankings.

Fortunately, Sitecore really does not care if it runs in HTTP or HTTPS, so most of the configurations are purely .NET related. Here is what you do if you have a single domain Sitecore installation, or a Sitecore installation that shares the root domain (en.mydomain.com/de.mycomain.com/…).

STEP 1: OBTAIN A SSL CERTIFICATE AND INSTALL IT ON YOUR SERVER

This usually involves a hosting company. If you are lucky enough (as I am) to know a hosting company that takes responsibility and provide a great service, this requires sending a mail and wait for the answer. If not you can follow one of the many guides online on how to obtain and install the SSL certificate.

STEP 2: MODIFY FORMS AUTHENTICATION

In web.config, add your domain to the forms authentication. This is pure .NET, nothing to do with Sitecore. Replace the MYCOMAIN.COM with your own domain.

<authentication mode="None">
  <forms domain=".MYDOMAIN.COM" timeout="43200" slidingExpiration="true" name=".ASPXAUTH" cookieless="UseCookies" />
</authentication>

STEP 3: MODIFY HTTPCOOKIES

In web.config, add your domain and set requireSSL in the httpCookies property. Again, this is .NET, not Sitecore specific. This binds any cookies to the root domain we specify, and secures the cookie (no cookies are sent to the server unless the connection is secure (HTTPS)).

<httpCookies httpOnlyCookies="true" requireSSL="true" lockItem="true" domain=".YOURDOMAIN.COM" />

STEP 4: CHANGE THE SCHEME PROPERTY IN THE SITES SECTION

In Sitecore.config, set the scheme=”https” in your sites section. This is used by Sitecore when URL’s are generated, and ensures that when a fully qualified URL is generated, the URL is prefixed with https://

<site name="website" 
      scheme="https"
      hostName="YOURDOMAIN.COM" 
      targetHostName="YOURDOMAIN.COM" 
      ... ... 
/>

STEP 5: ALLOW YOUR IIS OR LOAD BALANCER TO REDIRECT ALL REQUESTS FROM HTTP TO HTTPS

The site as configured now will still serve pages using the HTTP protocol. But any cookies will not be persisted unless we use the proper domain and proper scheme. So you need to redirect any HTTP request to HTTPS. This is always a fun coding project, but can also be achieved by configuring the load balancer, or using the IIS URL Rewrite Module.

MORE INFO

HTTPS In Sitecore by Anders Laub
A Recipe for Solid SSL in Sitecore by Brainjocks
AUTOMATING HOST NAMES AND SSL CERTIFICATES FOR SITECORE INSTANCES by Jeremy Davis
Google is about to start favoring HTTPS sites in search results by TheNextWeb
How To Set Up an HTTPS Service in IIS by Microsoft
Redirect from HTTP to HTTPS using the IIS URL Rewrite module by Microsoft

About briancaos

Developer at Pentia A/S since 2003. Have developed Web Applications using Sitecore Since Sitecore 4.1.

View all posts by briancaos →

1 Response to Sitecore how to configure SSL (HTTPS) in your Sitecore config files

Andy Burns says:

April 7, 2017 at 3:20 pm

FWIW, you can also specify requireSSL on the Forms node too, to secure the .ASPXAUTH cookie.

LikeLike

Enter your comment here...

Fill in your details below or click an icon to log in:

Email (required) (Address never made public)

Name (required)

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Twitter account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.