U4-4737 - UmbracoUseSSL Doesn't Automatically Redirect in Umbraco 7

Created by Brian Powell 22 Apr 2014, 12:34:43 Updated by Shannon Deminick 01 Oct 2014, 01:07:01

In Umbraco versions 4.x-6.x, setting UmbracoUseSSL=true in web.config would automatically redirect the user to a HTTPS URL if they tried accessing the backend. In Umbraco 7.1.1 (and I think the rest of 7.x), having this setting enabled will fail attempts to authenticate if the user isn't on HTTPS but it no longer automatically redirects the user. I had to install and configure rules in the IIS Rewrite module to handle redirecting the user. I'm not sure if this change was intentional, but at the very least it needs documented.


Ryan Savage 09 Jun 2014, 21:47:51

I have run into the same issue using 7.1.0 and 7.1.4. I'm also using IIS Rewrite as a workaround.

Arie 10 Jun 2014, 15:31:28

I'm on 7.1.4 and it not only fails to redirect to HTTPS, it also allows using HTTP.

Here's the key from the web.config:

Ranjit J. Vaity 11 Jul 2014, 07:33:33

Hi Guys,

Issues seems to unassigned to any of core team member hence was not addresses. Assigning it now.

Thanks, Ranjit

Arie 25 Jul 2014, 01:50:13

This ought to be flagged as a security issue. Can it be addressed in 7.1.5?

Arie 25 Jul 2014, 01:52:12

Given that security issues should have a high priority, I'm taking the liberty to bump the priority from "normal" to "major".

Brian Powell 30 Sep 2014, 14:56:15

The URL Rewrite solution appears to break Scheduled Publishing.

Brian Powell 01 Oct 2014, 01:01:42

I've created a pull request at https://github.com/umbraco/Umbraco-CMS/pull/493 to fix this problem. It adds a new UmbracoUseSSL filter that will redirect to HTTPS if umbracoUseSSL in web.config is true. I specified the filter on BackOfficeController so that backoffice pages will redirect to HTTPS if needed.

Priority: Major

Type: Bug

State: Fixed

Assignee: Shannon Deminick

Difficulty: Normal

Category: Security

Backwards Compatible: True

Fix Submitted: Pull request

Affected versions: 7.1.1, 7.1.4, 7.1.6

Due in version: 7.2.0


Story Points: