+ Start a Discussion

The Chicken or the Egg

Question about logging in to a custom site+portal.  From the documentation: http://login.salesforce.com/help/doc/en/sites_login_and_registration_settings.htm

"The login and registration forms must be secure. Set the 
forceSSL attribute to true for these forms. However, salesforce.com recommends that you set forceSSL to false for forms accessed by users who have already been authenticated, such as portal users. Since the forceSSL attribute forces a redirect to a secure URL, authenticated users would encounter an error."


In other words the login and register pages must be https.


Then for the Require Non-Secure Connections we have the following relevant options:

 Site-Level Security: Require Non-Secure Connections (HTTP)  Organization-Level Security: Require Secure Connections (HTTPS) Description
Not checkedChecked
  • Organization uses only HTTPS
  • Site uses HTTPS for the post-login session
  • Upon login, users see the secure.force.com domain
  • Organization uses only HTTPS
  • Site uses HTTP for the post-login session

Followed by the following Warning:

"If the Require Secure Connections (HTTPS) checkbox on the Session Settings page is selected, and the Require Non-Secure Connections (HTTP) checkbox on the Login Settings page is not selected, users logging in to the associated portal from the site will see the secure.force.com domain. For example, if you registered mycompany.force.com as your custom domain, the URL changes tohttps://mycompany.secure.force.com upon login."

(the warning applies to Not Checked, Checked)

Looks to me like in the situation where both are checked the user should never have to be exposed to the secure.force.com domain, but then how would the custom login and custom register pages be served since they require https?  Would it be that only the custom login and register pages would be served with the secure.force.com domain?


Ideally, we would want https://www.acme.com/login and https://www.acme.com/register AND not https://acme.secure.force.com/login.  After login, everything would be OK as just http.  The documentation is not exactly as straightforward as I'd like for something that can only be "tested" in production.




There isn't a way to use a custom domain with HTTPS on sites (it's on the roadmap). So you'd use http://www.acme.com and https://acme.secure.force.com


Thanks for answering me...that's what I suspected since it would require a way to handle a different SSL cert, but I feel like I'm missing something from the documentation:


1. The warning box has:

"For example, if you registered mycompany.force.com as your custom domain, the URL changes to https://mycompany.secure.force.com upon login."


Wouldn't it already be https://mycompany.secure.force.com on the login screen before the login, so there would be no change?  To me, the more accurate statement would be that it remains https://mycompany.secure.force.com and to document that the other combinations change from a login page that must be https://mycompany.secure.force.com to http://mycompany.com when the SSL isn't required?


2. Also, that same warning box has the following URL:



Wouldn't a log in form submission with that URL fail due to forceSSL needing to be true for SiteLogin? 


Are my interpretations accurate?

Thanks again for your help.