logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 



Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.



Apachelounge not using HTTPS

 
Post new topic   Reply to topic    Apache Forum Index -> News & Hangout



View previous topic :: View next topic  
Author Message
gijs



Joined: 27 Apr 2012
Posts: 186
Location: The Netherlands

PostPosted: Fri 06 Mar '15 19:03    Post subject: Apachelounge not using HTTPS Reply with quote

I just noticed that this website doesn't use HTTPS when logging in on the forum by default.. Shocked

It does support HTTPS but only when turned on manually by adding https://
I suggest the URL to the login page is edited to protect our passwords. (for example from man in the middle attacks on public WiFi networks)
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6255
Location: Germany, Next to Hamburg

PostPosted: Mon 16 Mar '15 12:25    Post subject: Reply with quote

Steffen could add the following code to login.php file

Code:
if($_SERVER['HTTPS'] != "on"){
   $redirect = "https://". $_SERVER['HTTP_HOST']. $_SERVER['REQUEST_URI'];
   header("Location: $redirect");
   die();
}
Back to top
ng4win



Joined: 25 May 2014
Posts: 78

PostPosted: Mon 16 Mar '15 13:47    Post subject: Reply with quote

It also defaults back to http no matter if you force https, sounds like a default setting is rewriting back to http.
Back to top
admin
Site Admin


Joined: 15 Oct 2005
Posts: 549

PostPosted: Mon 16 Mar '15 15:52    Post subject: Reply with quote

@James Your snippet gives: This webpage has a redirect loop.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6255
Location: Germany, Next to Hamburg

PostPosted: Mon 16 Mar '15 17:30    Post subject: Reply with quote

I wonder cause this works on all my webpages. Maybe you can force SSL for login.php by mod rewrite
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2580
Location: Hilversum, NL, EU

PostPosted: Tue 25 Aug '15 11:46    Post subject: Reply with quote

Made some changes, now with logging in it changes to https.

Hope all the rest still works fine. Please check.
Back to top
gijs



Joined: 27 Apr 2012
Posts: 186
Location: The Netherlands

PostPosted: Tue 25 Aug '15 13:40    Post subject: Reply with quote

After login it changes to https, but especially the login page itself should be protected (since that is the page where our passwords are being send, currently unencrypted)
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2580
Location: Hilversum, NL, EU

PostPosted: Tue 25 Aug '15 13:52    Post subject: Reply with quote

Thanks for checking.

Should now be ok, login link now https.
Back to top
gijs



Joined: 27 Apr 2012
Posts: 186
Location: The Netherlands

PostPosted: Tue 25 Aug '15 13:56    Post subject: Reply with quote

Perfect, all seems well. Smile
Back to top


Post new topic   Reply to topic    Apache Forum Index -> News & Hangout
Page 1 of 1