@mattab opened this Issue on February 11th 2012 Member

Currently, there is a setting force_ssl_login that forces the login details to be submitted over https.

However, since the token_auth is confidential, and sometimes passed in URLs (API requests, ajax requests done in the admin screens, etc.) it is desired to have a setting that would ensure that Piwik can ONLY be used over SSL.

  • when force_ssl=1 then all requests will be redirected to the https:// URL.
  • Expected: If SSL is not properly configured then Piwik will NOT work. User can edit the config file to set force_ssl = 0 to re-enable piwik in this case.
  • This setting is different from assume_secure_protocol
  • Also, update the How to setup secure server guide with this new setting recommendation.
@mattab commented on February 12th 2012 Member

(In [5815]) Fixes #2918

  • Adding new setting force_ssl that will automatically redirect all http:// requests to the https:// equivalent. This ensures better security for the piwik server, since the token_auth is often found in the response body or in the GET parameters.
@mattab commented on February 12th 2012 Member
This Issue was closed on February 13th 2012
Powered by GitHub Issue Mirror