Sitecore how to configure SSL (HTTPS) in your Sitecore config files

SSL and HTTPS have been the hot topic since Google began to use HTTPS as a signal in their search rankings.

Fortunately, Sitecore really does not care if it runs in HTTP or HTTPS, so most of the configurations are purely .NET related. Here is what you do if you have a single domain Sitecore installation, or a Sitecore installation that shares the root domain (en.mydomain.com/de.mycomain.com/…).

STEP 1: OBTAIN A SSL CERTIFICATE AND INSTALL IT ON YOUR SERVER

This usually involves a hosting company. If you are lucky enough (as I am) to know a hosting company that takes responsibility and provide a great service, this requires sending a mail and wait for the answer. If not you can follow one of the many guides online on how to obtain and install the SSL certificate.

STEP 2: MODIFY FORMS AUTHENTICATION

In web.config, add your domain to the forms authentication. This is pure .NET, nothing to do with Sitecore. Replace the MYCOMAIN.COM with your own domain.

<authentication mode="None">
  <forms domain=".MYDOMAIN.COM" timeout="43200" slidingExpiration="true" name=".ASPXAUTH" cookieless="UseCookies" />
</authentication>

STEP 3: MODIFY HTTPCOOKIES

In web.config, add your domain and set requireSSL in the httpCookies property. Again, this is .NET, not Sitecore specific. This binds any cookies to the root domain we specify, and secures the cookie (no cookies are sent to the server unless the connection is secure (HTTPS)).

<httpCookies httpOnlyCookies="true" requireSSL="true" lockItem="true" domain=".YOURDOMAIN.COM" />

STEP 4: CHANGE THE SCHEME PROPERTY IN THE SITES SECTION

In Sitecore.config, set the scheme=”https” in your sites section. This is used by Sitecore when URL’s are generated, and ensures that when a fully qualified URL is generated, the URL is prefixed with https://

<site name="website" 
      scheme="https"
      hostName="YOURDOMAIN.COM" 
      targetHostName="YOURDOMAIN.COM" 
      ... ... 
/>

STEP 5: ALLOW YOUR IIS OR LOAD BALANCER TO REDIRECT ALL REQUESTS FROM HTTP TO HTTPS

The site as configured now will still serve pages using the HTTP protocol. But any cookies will not be persisted unless we use the proper domain and proper scheme. So you need to redirect any HTTP request to HTTPS. This is always a fun coding project, but can also be achieved by configuring the load balancer, or using the IIS URL Rewrite Module.

MORE INFO

 

Advertisements

About briancaos

Developer at Pentia A/S since 2003. Have developed Web Applications using Sitecore Since Sitecore 4.1.
This entry was posted in Sitecore 6, Sitecore 7, Sitecore 8 and tagged , , . Bookmark the permalink.

One Response to Sitecore how to configure SSL (HTTPS) in your Sitecore config files

  1. Andy Burns says:

    FWIW, you can also specify requireSSL on the Forms node too, to secure the .ASPXAUTH cookie.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s