Running the Starter Site With an SSL Front End

There are a number of appliances out there that will carry the work of creating and maintaining an HTTPS (SSL) connection.  This removes the burden from the web server leaving providing better response all around.  Between the appliance and the web server the connection is unencrypted HTTP.  Because the Starter Site is written to require a secure connection out of the box it will complain about the unencrypted connection when you try to access a secure page.

Luckily, you can change a couple of settings in the Starter Site to allow it to run behind one of these appliances without complaining.  Here's how, in 4 easy steps:

  1. In web.config's "commerceSite" section add (or modify) the "requireSSL" property to "false" and "useSecureUrls" property to "true".

  2. In the web.config's "system.web\authentication\forms" section change the "loginUrl" property to contain the absolute URL path to the login page, for example: "".

  3. In web.sitemap, change all the URLs that start with "~/Profile/" to start with the absolute URL path to the profile section.  For example: <siteMapNote url=""...>

  4. In User\Login.aspx.cs add the following snippet of code to the end of the LoginForm_LoggedIn method:

     string returnUrl = Request.QueryString["ReturnUrl"];
    if (String.IsNullOrEmpty(returnUrl))
        returnUrl = "~/";

Following these steps should allow the Starter Site to work behind an SSL accelerator appliance.

For those of you curious about why each step is required, here's an explanation:

  1. When we built the Starter Site we had SSL accelerators in mind.  These options work together to allow this.  Note that setting "useSecureUrls" to false is a common developer scenario when you don't want to set up SSL (just make sure you set things proper when you actually deploy!).
  2. Normally the site checks to make sure the login page is secure before showing it, but it's not possible to know that when behind an accelerator.  This forces ASP.NET Forms Authentication to use the HTTPS url for the login page.
  3. The sitemap is a static file and therefore can't be modified on the fly based on the "useSecureUrls" setting (and it wasn't important enough to warrant writing a custom provider).  This change makes the links absolute.  While you're at it you may want to change the other links in the web.sitemap to be their absolute "http" URL equivalents to get people back to non-HTTP for other pages in the site.
  4. The action in step 2 ends up confusing the login control slightly so this code works around that confusion and forces the redirect.

In a later post I'll show another way to get this to work behind your accelerator if your appliance supports it.