+ Start a Discussion
Piyush PandyaPiyush Pandya 

Sites Double Login Issue

Background:
Org has Partner portal login enabled through Sites.

Org does not use custom domain.

 

Site-Level Security: RequireNon-Secure Connections (HTTP) is "Not-Checked"

Organization-Level Security: Require DescriptionSecure Connections (HTTPS) - "Not Checked"
Site url: https://mycompany.secure.force.com/sitelogin

 

Site home page: Page A

 

Page A has following code to redirect user to Page B

<apex:page controller="PageAController" action="{!redirect}" showheader="false"><apex:messages /> </apex:page>

 

When user logs in using https://mycompany.secure.force.com/sitelogin
Browser is forwarded to following URL:
http://mycompany.secure.force.com/frontdoor

to

http://mycompany.force.com/frontdoor

to

http://mycompany.force.com/PageA

to

http://mycompany.force.com/PageB

to

http://mycompany.force.com/sitelogin?refURL=PageB

 

However on PageB's controller where the system is querying from the custom object - system thinks that user is not authenticatedand user is directed to http://mycompany.force.com/siteLogin page.


From firebug, I see that sid cookie is present in http://mycompany.secure.force.com/frontdoor redirect with domain of "mycompany.secure.force.com"
sid cookie is not present when the browser is making request to http://mycompany.force.com/PageA or http://mycompany.force.com/PageB

 

Question:Is this expected?

 

From sites documentation, I do see that for following condition:

Site-Level Security: RequireNon-Secure Connections (HTTP) is "Not-Checked"

Organization-Level Security: Require DescriptionSecure Connections (HTTPS) - "Not Checked"

behavior is:   "Site uses HTTP for the post-login session".

 

This instance only occurs in the "Production" environment where there is redirect from http://mycompany.secure.force.com/frontdoortohttp://mycompany.force.com/frontdoor. In Developer or Sandbox edition's this is not replicated as the redirection does not occur.

My only lead right now is to  Organization-Level Security: Require DescriptionSecure Connections (HTTPS) - "Checked" which will force following:

Site uses HTTPS for the post-login session• Upon login, users see the secure.force.com domain

 

Any help would be appreciated.
Thank you.

 

mikefitzmikefitz

Ensure the profile for the user has access to the visualforce pages,

If the user doesn't have access then the system assumes the user needs to login to access the page.

 

Just check the security on the profiles to ensure they have access to the vf pages and you should be good.