Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Remove force_ssl_login setting -> only support force_ssl for security #4001

Closed
anonymous-piwik-user opened this Issue · 13 comments

3 participants

@anonymous-piwik-user

Updated:

After researching we decided to remove the setting force_ssl_login from the codebase. From now on, please use exclusively force_ssl=1

See FAQ: Piwik enable SSL and Configure Piwik for security

@mattab
Owner

Works for me, force_ssl_login is for login form only and force_ssl is for all pages.

For the Overlay+SSL bug see #3691

@anonymous-piwik-user

My global.inc.php has force_ssl_login = 1 and force_ssl = 0.

Try for yourself:

http://geekbox.me/piwik (should redirect to SSL)
user = piwik
pass = piwik123

Notice how after logging in, it doesn't go back to non-SSL.

@mattab
Owner

I can reproduce that force_ssl_login=1 will also redirect non Login URLs to SSL.

@sksksksk

I'm also affected by the overlay issue described in #3691, and the combination of force_ssl and force_ssl_login would somehow solve the issue for me (so that only the login screen is ssl). But as this bug report describes, this is not the case.

I'm confused with the last comment of matt: although you say you can reproduce the issue, you've closed the report and set the resolution to worksforme. Isn't this a contradiction?

@mattab
Owner

It was a misclick, thanks for pointing it out!

@sksksksk

sorry for going off topic: there seems to be no way to subscribe to a ticket under this trac installation. I can't change the cc field

@mattab
Owner

Updated spec for this ticket to clarify what does not work:

if I set force_ssl_login to 1, and force_ssl to 0, then the login will be secure, but after login user should be redirected to HTTP. Unfortunately, once I log in, the site remains in SSL mode.

@mattab
Owner

it's hard to make force_ssl_login work as described here. Instead I will completely remove the force_ssl_login setting from the settings. Please only use force_ssl from now on. One reason we don't like force_ssl_login is that the auth cookie would have to sent over http which is not secure. So this setting has no extra value compared to force_ssl.

If there are other bugs in piwik with force_ssl then please post on the related ticket or create new bug reports if not there already.

how do I force Piwik to use SSL for more security?

@mattab
Owner

In d168471: Fixes #4001 Deprecate force_ssl_login setting as it's too hard to properly enforce

@sksksksk

I understand the difficulty and why you remove the option. But please put a note in the faq that with this option site overlays won't work on non SSL sites.

@mattab
Owner

Ok that sounds like a good improvement: in case the website does not load in HTTPS, we default it to HTTP. Or maybe we always use website over HTTP for overlay report?

Since it already opens in a new window, we can simply open that new window over HTTP ?

@mattab
Owner

We have to deal with the cookie set which is set with "secure" flag right now... not sure what the solution is to have authentication work on HTTP with the cookie on HTTPS...

@mattab
Owner

I created ticket for this feature request #4700

@anonymous-piwik-user anonymous-piwik-user added this to the 2.1 - Piwik 2.1 milestone
@sabl0r sabl0r referenced this issue from a commit in sabl0r/piwik
@mattab mattab Fixes #4001 Deprecate force_ssl_login setting as it's too hard to pro…
…perly enforce
d168471
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.