@anonymous-piwik-user opened this Issue on June 11th 2013

Updated:

After researching we decided to remove the setting force_ssl_login from the codebase. From now on, please use exclusively force_ssl=1

See FAQ: Piwik enable SSL and Configure Piwik for security

@mattab commented on June 18th 2013 Owner

Works for me, force_ssl_login is for login form only and force_ssl is for all pages.

For the Overlay+SSL bug see #3691

@anonymous-piwik-user commented on June 19th 2013

My global.inc.php has force_ssl_login = 1 and force_ssl = 0.

Try for yourself:

http://geekbox.me/piwik (should redirect to SSL)
user = piwik
pass = piwik123

Notice how after logging in, it doesn't go back to non-SSL.

@mattab commented on January 13th 2014 Owner

I can reproduce that force_ssl_login=1 will also redirect non Login URLs to SSL.

@sksksksk commented on January 13th 2014

I'm also affected by the overlay issue described in #3691, and the combination of force_ssl and force_ssl_login would somehow solve the issue for me (so that only the login screen is ssl). But as this bug report describes, this is not the case.

I'm confused with the last comment of matt: although you say you can reproduce the issue, you've closed the report and set the resolution to worksforme. Isn't this a contradiction?

@mattab commented on January 13th 2014 Owner

It was a misclick, thanks for pointing it out!

@sksksksk commented on January 13th 2014

sorry for going off topic: there seems to be no way to subscribe to a ticket under this trac installation. I can't change the cc field

@mattab commented on February 11th 2014 Owner

Updated spec for this ticket to clarify what does not work:

if I set force_ssl_login to 1, and force_ssl to 0, then the login will be secure, but after login user should be redirected to HTTP. Unfortunately, once I log in, the site remains in SSL mode.

@mattab commented on February 11th 2014 Owner

it's hard to make force_ssl_login work as described here. Instead I will completely remove the force_ssl_login setting from the settings. Please only use force_ssl from now on. One reason we don't like force_ssl_login is that the auth cookie would have to sent over http which is not secure. So this setting has no extra value compared to force_ssl.

If there are other bugs in piwik with force_ssl then please post on the related ticket or create new bug reports if not there already.

how do I force Piwik to use SSL for more security?

@mattab commented on February 11th 2014 Owner

In d1684719f1d494e9b1a2d686b5da0e4164f11340: Fixes #4001 Deprecate force_ssl_login setting as it's too hard to properly enforce

@sksksksk commented on February 11th 2014

I understand the difficulty and why you remove the option. But please put a note in the faq that with this option site overlays won't work on non SSL sites.

@mattab commented on February 11th 2014 Owner

Ok that sounds like a good improvement: in case the website does not load in HTTPS, we default it to HTTP. Or maybe we always use website over HTTP for overlay report?

Since it already opens in a new window, we can simply open that new window over HTTP ?

@mattab commented on February 11th 2014 Owner

We have to deal with the cookie set which is set with "secure" flag right now... not sure what the solution is to have authentication work on HTTP with the cookie on HTTPS...

@mattab commented on February 17th 2014 Owner

I created ticket for this feature request #4700

This Issue was closed on February 24th 2014
Powered by GitHub Issue Mirror