Sign Up ›
  • Piyush Pandya
  • NEWBIE
  • 0 Points
  • Member since 2010
  • Comity Designs
  • Chatter
    Feed
  • 0
    Best Answers
  • 0
    Likes Received
  • 0
    Likes Given
  • 3
    Questions
  • 0
    Replies
1 replies

Sites Double Login Issue

Background:
Org has Partner portal login enabled through Sites.

Org does not use custom domain.

 

Site-Level Security: RequireNon-Secure Connections (HTTP) is "Not-Checked"

Organization-Level Security: Require DescriptionSecure Connections (HTTPS) - "Not Checked"
Site url: https://mycompany.secure.force.com/sitelogin

 

Site home page: Page A

 

Page A has following code to redirect user to Page B

<apex:page controller="PageAController" action="{!redirect}" showheader="false"><apex:messages /> </apex:page>

 

When user logs in using https://mycompany.secure.force.com/sitelogin
Browser is forwarded to following URL:
http://mycompany.secure.force.com/frontdoor

to

http://mycompany.force.com/frontdoor

to

http://mycompany.force.com/PageA

to

http://mycompany.force.com/PageB

to

http://mycompany.force.com/sitelogin?refURL=PageB

 

However on PageB's controller where the system is querying from the custom object - system thinks that user is not authenticatedand user is directed to http://mycompany.force.com/siteLogin page.


From firebug, I see that sid cookie is present in http://mycompany.secure.force.com/frontdoor redirect with domain of "mycompany.secure.force.com"
sid cookie is not present when the browser is making request to http://mycompany.force.com/PageA or http://mycompany.force.com/PageB

 

Question:Is this expected?

 

From sites documentation, I do see that for following condition:

Site-Level Security: RequireNon-Secure Connections (HTTP) is "Not-Checked"

Organization-Level Security: Require DescriptionSecure Connections (HTTPS) - "Not Checked"

behavior is:   "Site uses HTTP for the post-login session".

 

This instance only occurs in the "Production" environment where there is redirect from http://mycompany.secure.force.com/frontdoortohttp://mycompany.force.com/frontdoor. In Developer or Sandbox edition's this is not replicated as the redirection does not occur.

My only lead right now is to  Organization-Level Security: Require DescriptionSecure Connections (HTTPS) - "Checked" which will force following:

Site uses HTTPS for the post-login session• Upon login, users see the secure.force.com domain

 

Any help would be appreciated.
Thank you.

 

1 replies

Api.Partner_Server_URL returning different URL

Background information:

 

We have managed package that is using the Api.Partner_Server_URL_210 to get the serverURL that can be used by the external system to call back into the Salesforce using Soap API.

 

This managed package is embedded within Opportunity page. We have enabled Partner portal through site.

 

Site is using the custom domain as "mycompany.secure.force.com"

 

Custom domain is not enabled for the org.

 

Working Scenario :

When the PRM portal user is logged from the Salesforce's contact page using "Login to Partner Portal",  user gets to the standard Partner portal page and navigates to the Opportunity page and clicks to view the managed packages's custom VF page. In this scenario VF get https://managepackagenamespace.na1.salesforce.com/XXXXXX/" as API.Partner_server_URL. Using this URL external system is able to connect back to Salesforce via Soap API and get the data.

 

Non-working Scenarion:



When the PRM portal user is logged from external facing site URL https://mycompany.secure.force.com/sitelogin page and then navigates to the Opportunity page and clicks to view the managed packages's custom VF page. In this scenario VF get https://mycompany.secure.force.com/XXXXXX/" as API.Partner_server_URL. Using this URL external system is NOT able to connect back to Salesforce via Soap API and get the data.

 

So question is does $API..Partner_server_URL suppose to return https://managepackagenamespace.na1.salesforce.com/XXXXXX/" value or Salesforce platform does not allow API calls to https://mycompany.secure.force.com/ URL.

 

Any help would be appreciated.

 

Thank you.

0 replies

Apex:commandButton AJAX call not honoring forceSSL

I haveVF Component, that has YUI modal window which contains following commandButton to log into sites.

 

<Apex:commandButton id="loginBtnId" styleClass="Button" value="{!$Label.site.login}" action="{!login}" reRender="login_error"/>

 

Template page that includes this VF component contains single form that has forceSSL="true".

 

I also have same commandButton on the VF Page that posts the request in SSL and user can log into sites.

 

However, when user tries to login using YUI Modal window, the AJAX request does not get posted over SSL and hence sites login fails.

 

I cannot use nested <Apex:form> tags as it forces viewstate to be loaded multiple times and page load takes longer on this heavy traffic site.

 

I currently have removed the reRender from above tag and that forces page to post the parent form without AJAX and it works but displaying error message to user in case of failed login becomes challenging when user is using modal window to log in.

 

So question is, is there a way to force AJAX request to be SSL without using <Apex:form>?