I followed the FAQ for forcing my admin login page to be https and ended up with an error message when trying to login that informed me that the information was being submitted to a non SSL location. Clicking OK on this prompt just reloaded the login.php page.
Digging in the forums I found a combination that seems to be working:
Add the following under your $config['root_url'] line in config.php...
if(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS']=='on') {
$config['root_url'] = 'https://www.yourdomain.com';
}
This combined with the .htaccess rule to force https is working great. I didn't see this spelled out anywhere and was curious what others were doing for this to work. Maybe this will help someone in a future search.
SSL Admin
Re: SSL Admin
Before v1.9 I was used to change $config['root_url'] in config.php from :
to :
and it was enough.
After 1.9 upgrade I was still able to login with the same config.php but the release was causing too much issues so I went back to 1.8.2.
I tried 1.9.1 recently and had the same issue, so I was happy to find this post with your solution which works with 1.9.1 too - except I still have to set the root url as https, like this:
Code: Select all
$config['root_url'] = 'http://www.blah.com';
Code: Select all
$config['root_url'] = 'https://www.blah.com';
After 1.9 upgrade I was still able to login with the same config.php but the release was causing too much issues so I went back to 1.8.2.
I tried 1.9.1 recently and had the same issue, so I was happy to find this post with your solution which works with 1.9.1 too - except I still have to set the root url as https, like this:
Code: Select all
$config['root_url'] = 'https://www.blah.com';
if(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS']=='on') {
$config['root_url'] = 'https://www.blah.com';
}
The universe of information technology is constantly growing and contains only emerging products built on successive patches
Re: SSL Admin
Thanks for the hint. Works great.
Re: SSL Admin
That's really useful. The existing security Wiki article only talks about redirecting http://blah.com/admin to https://blah.com/admin, which doesn't work by itself!$config['root_url'] = 'https://www.blah.com';
if(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS']=='on') {
$config['root_url'] = 'https://www.blah.com';
}
BTW, it's worth using Wireshark to check such things actually work properly. Earlier on, before I applied that config.php change, I found the logins were happening in clear-text before the 301 redirect to SSL
Cheers
- Martin
Re: SSL Admin
For some reason I cannot get this to work.
This is the .htaccess in my admin dir:
And this is the part of the config.php-file that should be edited:
Am I missing something?
Thanks,
Hans
I'm on CMSMS 1.9.4
This is the .htaccess in my admin dir:
Code: Select all
# force all access to /admin to SSL protected page
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Code: Select all
#Document root as seen from the webserver. No slash at the end
#If page is requested with https use https as root url
#e.g. http://blah.com
$config['root_url'] = 'http://www.mysite.nl';
if(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS']=='on') {
$config['root_url'] = 'https://www.mysite.nl';
}
#SSL URL. This is used for pages that are marked as secure.
$config['ssl_url'] = 'https://www.mysite.nl';
Thanks,
Hans
I'm on CMSMS 1.9.4
