Table of Contents
You can implement SSL by dropping the SSL widget onto a page.
The recommended approach for securing your site is to run every page over SSL. This can be configured easily by changing the SSL setting in the communityserver_override.config file to to “all” and touching the web.config file. As an added security protection if you are running your site over Forms Authentication, you should also update the web.config for your site so that the Forms node has a requireSSL attribute set to true. This attribute will force the authentication cookie to only be transmitted from the browser to the site whenever the connection is over SSL.
Another option is to ensure that only authenticated users are making requests over SSL. This is an option which doesn't force an anonymous user to be connected over SSL. To configure this option, you should set the requireSSL attribute on the Forms authentication node of the web.config to be true. Next, you should update the communityserver.config file and change the ssl option to be “Password”. This will redirect a user who visits a page transmitting a password to make an the request over SSL. Once the user is logged in, he/she will only transmit their authentication cookie over the SSL connection. This is a good option because it not only protects passwords from being transmitted over a non-SSL connection, but requires authentication cookies to be transmitted over SSL.
An additional measure of protection is to use the Telligent Community Server Redirect to SSL widget on any page you want to have solely transmitted over SSL. This approach is useful whenever your communityserver_override.config ssl setting is set to "Ignore" or "Password" and you want to secure additional pages.
Here is a breakdown of how SSL works in Community Server:
- If SSL="Ignore" then no redirects are made.
- If SSL="Ignore" and web.config has requireSSL for cookie, then authenticated users will be redirected to SSL.
- If SSL="Password" then there are redirects to SSL only for pages transmitting a password.
- If SSL="Password" and web.config has requireSSL for cookie, then redirects to SSL are made only for pages that transmit a password or when the user is authenticated.
- If SSL="All" redirects are always made to SSL.
Here is a chart showing the conditions under which SSL redirect occurs.
|SSL setting (communityserver)_override.config)||requireSSL setting (web.config)|
|Password||Yes for pages which send passwords; if you access a secure page, you will be redirected to a non-secure one.||Yes for pages which send passwords.||Yes for pages which send passwords; if you access a secure page, you will be redirected to a non-secure one.||Yes|
The default setting is for ssl="Password" and requireSSL=false, meaning the user is kept on SSL when he/she authenticates, but is not forced to be over SSL. The recommended and most secure configuration is ssl="Password" and requireSSL=true.
Custom code may overrule these settings and force a page to be viewed over SSL. An example of this is the SSL widget. If you drop this widget onto a page, it forces the page to be viewed over SSL.