Ensure encrypted navigation on your website via HTTPS
The Composite.Navigation.HttpsEnforcer package enforces encrypted navigation around a C1 website by ensuring that the entire site or its section is served to visitors via the "HTTP Secure", or HTTPS, which is the Hypertext Transfer Protocol that uses the SSL/TLS protocol to provide encryption and secure identification of the server.
Using this package, you can configure the entire website or a specific page with all its sub-pages to require that visitors should use the HTTPS when browsing its pages. That way, if the visitor accesses a HTTPS-based page via HTTP, he or she will be redirected to the same URL using HTTPS.
How to implement Composite.Navigation.HttpsEnforcer
Important! Before you install the package, you need to make sure that the Certificates Server is installed where IIS is running, a proper certificate is installed on the server and SSL is configured on IIS.
- Install the package.
- In the
Layout perspective, add the
Composite.Navigation.HttpsEnforcer function to the website template used with pages you will set HTTPS on.
<f:function name="Composite.Navigation.HttpsEnforcer" xmlns:f="http://www.composite.net/ns/function/1.0"> <f:param name="AlwaysStayOnHttps" value="False" /> <f:param name="RedirectC1Users" value="False" /> </f:function>
- Keep the default values for the parameters or set them as described in "How to configure optional parameters" below.
- Add the HttpsEnforcer Page Settings metadata field (Composite.Navigation.HttpsEnforcer.PageSettings metatype) to the page, which you want visitors to access via HTTPS. (This page and all its sub-pages will require HTTPS fro now.)
- Make sure that you set the Inherit Display parameter to "Do not inherit".
- The metadata field added, make sure that the Require HTTPS option is checked on the Metadata tab of the page.
How to configure optional parameters
Always Staying on HTTPS
By default, if visitors use HTTPS to access pages not requiring HTTPS, they will be redirected to pages using HTTP.
To allow the visitors to stay on HTTPS when using HTTPS even though they request HTTP-based pages, you should set the Composite.Navigation.HttpsEnforcer function's AlwaysStayOnHttps parameter to "true".
| Function Parameter | Client uses | Required protocol | Result |
| AlwaysStayOnHttps = false (default) | HTTPS | HTTP | HTTP (redirected back to HTTP) |
| AlwaysStayOnHttps = true | HTTPS | HTTP | HTTPS (stays on HTTPS) |
Redirecting C1 Users
By default, if users are logged on to the C1 console and browse the website at the same time, they will not be redirected to HTTPS even though they access pages that require this protocol.
To allow the logged-on C1 users to be redirected to HTTPS whenever they access HTTPS-based pages in the web browser, you should set the Composite.Navigation.HttpsEnforcer function's RedirectC1Users parameter to "true".
| Function Parameter | Client uses | Required protocol | Result |
| RedirectC1Users = false (default) | HTTP | HTTPS | HTTP (not redirected) |
| RedirectC1Users = true | HTTP | HTTPS | HTTPS (redirected) |
Important notes
- Before you install and use the package, you need to make sure that:
- The Certificate Server is installed on the target server with IIS.
- A proper certificate is installed on the server. You might need to request the certificate with a certificate issuing company such as VeriSign , or generate your own certificate (particularly, for testing purposes) by using ad-hoc utilities such as openssl or SelfSSL .
- SSL is configured on IIS for your website.
- For testing purposes, you can follow the guidelines in:
Requirements
Composite C1 2.0 SP1 or later