Recommended approach
The recommended approach for securing your site is to run every page over SSL. This can be configured quite easily by changing the SSL setting in the communityserver_override.config file to to “all” and touching the web.config file. As an added security protection, if you are running your site over Forms authentication, you should also update the web.config for your site so that the forms node has a requireSSL attribute set to true. This will force the authentication cookie to only be transmitted from the browser to the site whenever the connection is over SSL.
Alternative approach
Another option is to ensure that only authenticated users are making requests over SSL. This is an option which will not force an anonymous user to be connected over SSL. To configure this option, you should set the requireSSL attribute on theForms authentication node in the web.config to be true. Next, you should update the communityserver.config file and change the ssl option to be “Password”. This will redirect a user who visits a page that transmits a password to make an SSL request. Then, once the user is logged in, they will only transmit their authentication cookie over an SSL connection. This is a good option because it not only protects passwords from being transmitted over a non-SSL connection, but also requires authentication cookies to be transmitted over SSL.
An additional measure of protection is to use the Telligent Enterprise 3.0 Redirect to SSL widget on any page that you want to only be transmitted over SSL. This is useful whenever your communityserver_override.config ssl setting is set to "Ignore" or "Password", and you want to secure additional pages.
SSL behavior
Here is a breakdown of how SSL works in Telligent Enterprise:
- If SSL="Ignore" then no redirects are made.
- If SSL="Ignore" and web.config has requireSSL for cookie, then authenticated users will be redirected to SSL.
- If SSL="Password" then there are redirects to SSL only for pages transmitting a password.
- If SSL="Password" and web.config has requireSSL for cookie, then redirects to SSL are made only for pages that transmit a password or when the user is authenticated.
- If SSL="All" redirects are always made to SSL.
Here is a chart showing the conditions under which SSL redirect occurs.
The default setting is for ssl="Password" and requireSSL=false, meaning the user is kept on SSL when he/she authenticates, but is not forced to be over SSL. The recommended and most secure configuration is ssl="Password" and requireSSL=true.
Custom code may overrule these settings and force a page to be viewed over SSL. An example of this is the SSL widget. If you drop this widget onto a page, it forces the page to be viewed over SSL.