We have moved to GitHub Issues
Created by Brian Powell 22 Apr 2014, 12:34:43 Updated by Shannon Deminick 01 Oct 2014, 01:07:01
In Umbraco versions 4.x-6.x, setting UmbracoUseSSL=true in web.config would automatically redirect the user to a HTTPS URL if they tried accessing the backend. In Umbraco 7.1.1 (and I think the rest of 7.x), having this setting enabled will fail attempts to authenticate if the user isn't on HTTPS but it no longer automatically redirects the user. I had to install and configure rules in the IIS Rewrite module to handle redirecting the user. I'm not sure if this change was intentional, but at the very least it needs documented.
I have run into the same issue using 7.1.0 and 7.1.4. I'm also using IIS Rewrite as a workaround.
I'm on 7.1.4 and it not only fails to redirect to HTTPS, it also allows using HTTP.
Here's the key from the web.config:
Issues seems to unassigned to any of core team member hence was not addresses. Assigning it now.
This ought to be flagged as a security issue. Can it be addressed in 7.1.5?
Given that security issues should have a high priority, I'm taking the liberty to bump the priority from "normal" to "major".
The URL Rewrite solution appears to break Scheduled Publishing.
I've created a pull request at https://github.com/umbraco/Umbraco-CMS/pull/493 to fix this problem. It adds a new UmbracoUseSSL filter that will redirect to HTTPS if umbracoUseSSL in web.config is true. I specified the filter on BackOfficeController so that backoffice pages will redirect to HTTPS if needed.
Assignee: Shannon Deminick
Backwards Compatible: True
Fix Submitted: Pull request
Affected versions: 7.1.1, 7.1.4, 7.1.6
Due in version: 7.2.0