Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove force_ssl_login setting -> only support force_ssl for security #4001

Closed
anonymous-matomo-user opened this issue Jun 11, 2013 · 13 comments
Assignees
Labels
Bug For errors / faults / flaws / inconsistencies etc. Major Indicates the severity or impact or benefit of an issue is much higher than normal but not critical.
Milestone

Comments

@anonymous-matomo-user
Copy link

Updated:

After researching we decided to remove the setting force_ssl_login from the codebase. From now on, please use exclusively force_ssl=1

See FAQ: Piwik enable SSL and Configure Piwik for security

@mattab
Copy link
Member

mattab commented Jun 18, 2013

Works for me, force_ssl_login is for login form only and force_ssl is for all pages.

For the Overlay+SSL bug see #3691

@anonymous-matomo-user
Copy link
Author

My global.inc.php has force_ssl_login = 1 and force_ssl = 0.

Try for yourself:

http://geekbox.me/piwik (should redirect to SSL)
user = piwik
pass = piwik123

Notice how after logging in, it doesn't go back to non-SSL.

@mattab
Copy link
Member

mattab commented Jan 13, 2014

I can reproduce that force_ssl_login=1 will also redirect non Login URLs to SSL.

@heisenbol
Copy link

I'm also affected by the overlay issue described in #3691, and the combination of force_ssl and force_ssl_login would somehow solve the issue for me (so that only the login screen is ssl). But as this bug report describes, this is not the case.

I'm confused with the last comment of matt: although you say you can reproduce the issue, you've closed the report and set the resolution to worksforme. Isn't this a contradiction?

@mattab
Copy link
Member

mattab commented Jan 13, 2014

It was a misclick, thanks for pointing it out!

@heisenbol
Copy link

sorry for going off topic: there seems to be no way to subscribe to a ticket under this trac installation. I can't change the cc field

@mattab
Copy link
Member

mattab commented Feb 11, 2014

Updated spec for this ticket to clarify what does not work:

if I set force_ssl_login to 1, and force_ssl to 0, then the login will be secure, but after login user should be redirected to HTTP. Unfortunately, once I log in, the site remains in SSL mode.

@mattab
Copy link
Member

mattab commented Feb 11, 2014

it's hard to make force_ssl_login work as described here. Instead I will completely remove the force_ssl_login setting from the settings. Please only use force_ssl from now on. One reason we don't like force_ssl_login is that the auth cookie would have to sent over http which is not secure. So this setting has no extra value compared to force_ssl.

If there are other bugs in piwik with force_ssl then please post on the related ticket or create new bug reports if not there already.

how do I force Piwik to use SSL for more security?

@mattab
Copy link
Member

mattab commented Feb 11, 2014

In d168471: Fixes #4001 Deprecate force_ssl_login setting as it's too hard to properly enforce

@heisenbol
Copy link

I understand the difficulty and why you remove the option. But please put a note in the faq that with this option site overlays won't work on non SSL sites.

@mattab
Copy link
Member

mattab commented Feb 11, 2014

Ok that sounds like a good improvement: in case the website does not load in HTTPS, we default it to HTTP. Or maybe we always use website over HTTP for overlay report?

Since it already opens in a new window, we can simply open that new window over HTTP ?

@mattab
Copy link
Member

mattab commented Feb 11, 2014

We have to deal with the cookie set which is set with "secure" flag right now... not sure what the solution is to have authentication work on HTTP with the cookie on HTTPS...

@mattab
Copy link
Member

mattab commented Feb 17, 2014

I created ticket for this feature request #4700

This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug For errors / faults / flaws / inconsistencies etc. Major Indicates the severity or impact or benefit of an issue is much higher than normal but not critical.
Projects
None yet
Development

No branches or pull requests

3 participants