SSL logins

Posted: Wed Mar 31, 2004 12:47 pm

Please try on non production sites first.
Report any issues here if they come up.
Feedback is requested.

Function sslMyurl:
Detects if SSL is active for the current domain.
If not and Shared SSL is available on your server.
You can use Shared SSL for your important pages like logins.
If no Shared SSL is available leave empty.
$shared_ssl = "";
If no SSL is available at all it should do nothing. That is
providing the instructions for calling it are followed.

What is Shared SSL?
This is when your host allows you to access their SSL certificate
Through their domain as top level domain and your directory
below it. Like this. [ Only registered users can see links on this board! Get registered or login! ]

$shared_ssl = "www.hosts_https_domain.xxx/~user_name";

Usuage:
Warning* Backup files!

Files to edit = 3:
config.php
mainfile.php
Your_Account/index.php (You can do this with admin too. In fact I recomend it.)

First get the Shared SSL url from your host. If you haven't your own.

Lets Hack the Files:
mainfile.php
Add the function (See Below) to mainfile.php (or any common.php/vars.php this isn't nuke specific).
Just before the closing ?> is fine.

Code:




       function sslMyurl()


       {


       global $shared_ssl;


       if ($_SERVER['HTTPS'] != "on" && (getenv('HTTPS') == 'on'))  {


       $server = $_SERVER['SERVER_NAME'];


       $path = $_SERVER['REQUEST_URI'];


       $sec_url = 'https://'.$server.$path; 


       header("location:".$sec_url);


       exit;


        }


       if($shared_ssl != "" && strlen($shared_ssl) > 7){


       $server = $shared_ssl;


       $path = $_SERVER['REQUEST_URI'];


       $sec_url = 'https://'.$server.$path; 


       header("location:".$sec_url);


       exit;


        }


       }

Add line to config.php

Code:




$shared_ssl = "www.hosts_https_domain.xxx/~user_name";

replace [ Only registered users can see links on this board! Get registered or login! ] with your hosts shared SSl url no trailing slash.
Or if you have your own SSL leave empty.

Your_Account/index.php:
After:
require_once("mainfile.php");
Add:

Code:




 if ($_SERVER['HTTPS'] != "on"){


     sslMyurl();


  }

Next:
You will have to change any header redirects from the current page.
header("location:
With
Example:
Header("Location: modules.php?name=$module_name&file=index");

Must be changed to redirect from [ Only registered users can see links on this board! Get registered or login! ] back to [ Only registered users can see links on this board! Get registered or login! ]
Watch the slashes! if nukeurl has a trailing slash you don't add one here.
Header("Location: "$nukeurl/modules.php?name=$module_name&file=index");

If nukeurl had a trailing slash for some reason do this instead.
Header("Location: "$nukeurl.modules.php?name=$module_name&file=index");

Note*
$nukeurl will have to be declared in the global function where Header() is called.

Disclaimer*
I haven't tested this much. Then only on PHPNuke6.0!
But don't see where it should create any issues so
long as the instructions are followed. The exception
will be remotely linked images they won't be secure.
But there shouldn't be any in the areas for logins.
anyway you have them in your footer or left column.

Why bother?
Because if you have SSL available this will eliminate 99% of people logging in and raising cain on your site.

Why is that?
Because their real IP is revealed as SSL requires a direct connection to the users PC. More ISP's will respond to positive proof such as SSL connection evidence provides.

Edit* I left out the bit for Your_Account Grr! Ok is there now.

Posted: Wed Mar 31, 2004 7:39 pm

Ok so it only kinda works. I'm still having trouble with
header("Location
I even tried using the fopen method.
Seems like the urls almost have to be be hard coded to switch from https to http. Using redirects https seems to corrupt the header. Then everything that requires user to be logged in redirects back to login again which is fine for me... but it isn't for everyone.
Had enough for the day

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

I think you just need a little tweak Wink

change this

Code:

Header("Location: "$nukeurl.modules.php?name=$module_name&file=index");

to

Code:

Header("Location: ".$nukeurl.".modules.php?name=".$module_name."&file=index");

Posted: Fri Apr 02, 2004 11:07 pm

Thanks Raven tip helped.

I'm going to have to check out the sessions and cookie cookie path I think to resolve all "My" issues. But the function is working Gr8! So long as all member functions are performed on the https url.

Lack of sleep was the issue that day for me. I was mistaking the above as an error with redirection when all along I was losing the sessions because of the funky domain stuff with a shared SSL. I have some code that relies on user status and it flaked of course. And when it flakes it does session_unregister() to make a complete circle of it forcing me back to tada! the login page and back to https lol!

I'll get back to it in a couple days.

Posted: Sat Apr 03, 2004 10:44 pm

I think IIS users would have to add this to the function?

Code:




if(!isset($_SERVER['REQUEST_URI'])) {


       $_SERVER['REQUEST_URI'] = substr($_SERVER['argv'][0], strpos($_SERVER['argv'][0], ';') + 1);


       }

Just added it before someone says this S&$* don't work... wouldn't hurt anyway.