views:

57

answers:

3

I'm working on a public website that was built using SharePoint (WSS). We need to add an area in the site where people will be able to purchase items with their credit cards and obviously the area needs to be secured.

The website is using Form Based Authentication and the users need to stay logged in when they are moved back and forth from the https zone.

I know how to enable SSL for a new web application / site collection but this isn't really an option for me as the website is already online and we don't want the whole thing to be secured.

I am comfortable with the development of the webparts involved (payment module, shopping cart, etc.) but I can't really figure out how to create only certain https pages when the site collection is created.

Can you have features that deploy pages that are secured? If so, how? Can you have a zone where SSL is enabled but where the users are redirected to and from without losing their authentication (FBA)?

Thanks!

+1  A: 

Can you not extend the web application and just enable SSL on one web application. Then you can just link to the secured version of the site when you need to. As long as they are both on the same domain the FBA cookie should work on both web apps.

Lee Dale
Thanks, will try that out. I was under the impression that the authentication wouldn't follow.
Hugo Migneron
A: 

Another option I would try would be to leave everything in the same web application, but have it set up so that it can be accessed via both SSL and non-SSL.

Then I would write a HttpModule which checks the incoming request url and redirects back and forth between the secure and non-secure states. For example the logic might look something like this

If request url starts with http://mydomain.com/secure

--> Redirect to https://mydomain.com/secure

Else if request url starts with https://mydomain.com/general

--> Redirect to http://mydomain.com/general

Else

--> Do nothing and let request execute

The advantage of this approach is that the http module will be more reliable and you won't have to rely on the links within your content pages to do the switching.

Paul Lucas
+1  A: 

There are several ways to approach this:

  1. If your firewall supports it you can terminate SSL at the firewall level and have that determine which pages need to be secured via SSL (e.g. using ISA server) and keep the existing site as is.

  2. Alternatively you can set up the existing web site to accept requests via both HTTPS and HTTP. At the IIS level this involves installing a SSL certificate and adding an additional binding on port 443. At the SharePoint level you also need to add an alternate access mapping to make SharePoint aware of the https URL. I have documented these steps at http://www.sharepointconfig.com/2010/03/configuring-a-sharepoint-website-to-allow-ssl-connections/. You can then enforce specific pages to use SSL using the IIS 7 Url Rewrite module or via a HttpModule.

  3. You can extend the web application onto a new IIS web site (Microsoft does recommend using separate IIS sites for HTTP and SSL in their article at http://technet.microsoft.com/en-us/library/cc298636.aspx). This does add the overhead of running and managing two IIS websites, web.config's etc which may or may not be required. This approach would also need some way of redirecting requests to the appropriate protocol.

Ari
Great answer! Option #2 seems like the best one at moment because all of that can be done fairly quickly. Will also look into option #3. We have an automatic web.config modifier which would remove most of the overhead involved. Thanks again for the answer, will mark as accepted once I get something working.
Hugo Migneron