logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> News & Hangout View previous topic :: View next topic
Reply to topic   Topic: Apachelounge not using HTTPS
Author
gijs



Joined: 27 Apr 2012
Posts: 189
Location: The Netherlands

PostPosted: Fri 06 Mar '15 19:03    Post subject: Apachelounge not using HTTPS Reply with quote

I just noticed that this website doesn't use HTTPS when logging in on the forum by default.. Shocked

It does support HTTPS but only when turned on manually by adding https://
I suggest the URL to the login page is edited to protect our passwords. (for example from man in the middle attacks on public WiFi networks)
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Mon 16 Mar '15 12:25    Post subject: Reply with quote

Steffen could add the following code to login.php file

Code:
if($_SERVER['HTTPS'] != "on"){
   $redirect = "https://". $_SERVER['HTTP_HOST']. $_SERVER['REQUEST_URI'];
   header("Location: $redirect");
   die();
}
Back to top
ng4win



Joined: 25 May 2014
Posts: 78

PostPosted: Mon 16 Mar '15 13:47    Post subject: Reply with quote

It also defaults back to http no matter if you force https, sounds like a default setting is rewriting back to http.
Back to top
admin
Site Admin


Joined: 15 Oct 2005
Posts: 692

PostPosted: Mon 16 Mar '15 15:52    Post subject: Reply with quote

@James Your snippet gives: This webpage has a redirect loop.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Mon 16 Mar '15 17:30    Post subject: Reply with quote

I wonder cause this works on all my webpages. Maybe you can force SSL for login.php by mod rewrite
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU

PostPosted: Tue 25 Aug '15 11:46    Post subject: Reply with quote

Made some changes, now with logging in it changes to https.

Hope all the rest still works fine. Please check.
Back to top
gijs



Joined: 27 Apr 2012
Posts: 189
Location: The Netherlands

PostPosted: Tue 25 Aug '15 13:40    Post subject: Reply with quote

After login it changes to https, but especially the login page itself should be protected (since that is the page where our passwords are being send, currently unencrypted)
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU

PostPosted: Tue 25 Aug '15 13:52    Post subject: Reply with quote

Thanks for checking.

Should now be ok, login link now https.
Back to top
gijs



Joined: 27 Apr 2012
Posts: 189
Location: The Netherlands

PostPosted: Tue 25 Aug '15 13:56    Post subject: Reply with quote

Perfect, all seems well. Smile
Back to top


Reply to topic   Topic: Apachelounge not using HTTPS View previous topic :: View next topic
Post new topic   Forum Index -> News & Hangout