Summit 7 Team Blogs

Securing Web content via public-facing Sitecore login

The question with Sitecore is, most often, not “can we do this?” but “how can we do this?” Admittedly the “how” is sometimes a major development project, but on occasion the high-level functionality we’re looking for is already available, either as standard or via one of the powerful Sitecore Modules. These are the occasions we can be found excitedly sharing our discovery with the rest of the team…and wondering what else we’ve been missing all this time!

An increasingly frequent request from our site owners is for some means to share content with specific outside entities (such as government agencies, contract workers and the like).  We do not currently have a “real” extranet solution, so these requests often fall by the way side, or are accommodated with less-then-ideal alternatives: granting intranet access, email distribution and the like. What our site owners want though is a private area of their public site: a seamless member login from the public-facing site to a secured member area.

Using a combination of Modules –specifically the Web Forms for Marketers module (an invaluable tool for creating and managing contact forms of various kinds – and standard features, I stumbled upon a potential solution.

Note: This methodology comes with a major disclaimer. We are not currently deploying this setup for various reasons. Not least, we need to look very carefully at the potential security risks and privacy concerns before we are confident that content is adequately “secured” in this way. Moreover, the proposed method requires that credentials be created and managed for each user within Sitecore. Such an approach clearly is not viable in the case of a “private” or “member” area for potentially hundreds or thousands of users. In the limited case of a single login provided to a group of users, such as a single board member login provided to all board users, user management would be less problematic. (However – not surprisingly! – Sitcecore might have an answer of its own, using a combination of its Marketing Center tools and Web Forms for Marketers to allow users to create and manage their own accounts. Unless or until a real extranet solution is available, Sitecore offers a great workaround in these types of cases.)

  1. Create login/logout forms

The crux of securing content within Sitecore lies with the “save action” area within the Web Forms module. Until now, we had not ventured (nor needed to venture) beyond the standard “send email” and “save to database” actions. Dig a little deeper, and we find “login” and “logout” actions. Apply one of these to the submit button of a basic Sitecore form, configure the source for credential verification (in this case our Sitecore Users, defined within Sitecore’ Security Editor web interface, but it could be an external product such as AD), and you’re good to go. Successful verification of the credentials, on submission, redirects to a success page: the member area, a standard content page/node within Sitecore.

  1. Secure content

To secure content to our “member area” content, we use the Security Editor to explicitly deny read access to anonymous users.

  1. Create user credentials

Using the User Manager we grant access to select users (based on role or individual user ID).

  1. Apply forms to content pages
  2. Thank Sitecore for its unceasing ability to surprise and delight (relatively)