+ Start a Discussion

Using Sites with Customer Portal: Browsers think the login page is an attack page

Because our customer portal needed a lot of style modifications, I decided to go via the Sites route, creating all pages using visualforce and associating the portal with the site.


My login page as of now is:



No browser likes the https. All warn me that this is an attack site.


For example IE gives the

"There is a problem with this website's security certificate.

The security certificate presented by this website was issued for a different website's address."
Chrome also mentions a similar error and also puts a red crossmark over the https: part of the URL.
Using just http does not show an error in the login page but the rest of the pages still have the red cross over the https.



What am I missing here? Currently this portal and the site are being built in our sandbox environment.

What must I do to ensure there are no such errors with browsers and still retain the secure https:// URLs.




Any ideas folks?




I got this from the help section in salesforce. Navigate to site detail page and click on login settings and then do the following for site level security.


  • Select the Require Non-Secure Connections (HTTP) checkbox if you want to override your organization's security settings and exclusively use HTTP when logging in to the portal from your site. If this checkbox is not selected, the Require Secure Connections (HTTPS) setting found at Your Name | Setup | Security Controls | Session Settingsis used to determine the security level.
    The following table illustrates the relationship between these settings.
    Site-Level Security: Require Non-Secure Connections (HTTP)Organization-Level Security: Require Secure Connections (HTTPS)Description
    Not checkedNot checked
    • Organization can use either HTTP or HTTPS
    • Site uses HTTP for the post-login session
    CheckedNot checked
    • Organization can use either HTTP or HTTPS
    • Site uses HTTP for the post-login session
    Not checkedChecked
    • Organization uses only HTTPS
    • Site uses HTTPS for the post-login session
    • Upon login, users see the secure.force.com domain
    • Organization uses only HTTPS
    • Site uses HTTP for the post-login session
    If the Require Secure Connections (HTTPS) checkbox on the Session Settings page is selected, and the Require Non-Secure Connections (HTTP) checkbox on the Login Settings page is not selected, users logging in to the associated portal from the site will see the secure.force.com domain. For example, if you registered mycompany.force.com as your custom domain, the URL changes to https://mycompany.secure.force.com upon login.

    Customers using a script to login to sites can use the optionalrefURLURL parameter to retain the custom domain name after login. This parameter has no effect if Require Non-Secure Connections (HTTP) has been set for the site or Require Secure Connections (HTTPS)has been set for the organization. An example URL usingrefURLis: http://mysite.secure.force.com/SiteLogin?refURL=http://mysite.com.

  • The Secure Web Address field shows the unique Force.com URL for this site when using SSL.




Yup, in sandbox you will get this warning. You should not see it in your production organization.