security

Sep 20, 2007 at 9:16 PM
I just installed BlogEngine and I love it. Geat job!
I was wondering how I can lock down my installation, etc.
How can I ensure login security? Has anyone used SSL with BE?

Thanks!
Oct 1, 2007 at 9:30 PM
I would like to use HTTPS protocol for /login.aspx and all /admin/ pages too. I have tried to change loginURL parameter in web.config from:

<forms timeout="129600" name=".AUXBLOGENGINE" protection="All" slidingExpiration="true" loginUrl="~/login.aspx" cookieless="UseCookies" />

to:

<forms timeout="129600" name=".AUXBLOGENGINE" protection="All" slidingExpiration="true" loginUrl="https://www.somedomain.cz/login.aspx" cookieless="UseCookies" />

unfortunately it did not work. I think it has to be supported by BE code. On the other hand even if supported natively it does not solve browser warning when SSL page contains at least one object with http protocol only. This could be pretty annoying for many user.