@sirtet opened this Issue on February 23rd 2015

It seems that piwik does not automatically redirect to https.
Shouldn't that be done to increase safety? Protect the login credentials as well as all that sensitive user data...

@Globulopolis commented on February 23rd 2015 Contributor

Add force_ssl = 1 under [General] section of config.ini.php.

@mattab commented on February 23rd 2015 Owner

Explained in this faq

@sirtet commented on February 23rd 2015

I see.
So, what's the reason that is not set by default?

@mattab commented on February 23rd 2015 Owner

many users don't have SSL on their servers unfortunately

@sgiehl commented on February 23rd 2015 Member

What about adding an checkbox in install to enable ssl forcing? And if
piwik is installed using https we could check that option as default.

@sirtet commented on February 23rd 2015

I understand that not everyone has SSL available.
That's why i titled if available.
The code to switch over IF AVAILABLE would be fairly easy i guess, looking at the gained security.

@mattab commented on February 23rd 2015 Owner

That's good point, reopening!

@ThaDafinser commented on February 25th 2015 Contributor

Current detection code is here: https://github.com/piwik/piwik/blob/master/core/FrontController.php#L516-L538

@sirtet how can you "detect" that, without performance lose?
Idea 1) Make a request with https and see if you have a valid response....
Idea 2) ???

@sirtet commented on February 25th 2015

how can you "detect" that, without performance lose?
No idea, i am not a coder, unfortunately.
I guess it needs to be detected only once, on install, and then force it.
Or are there any use-cases where someone explicitly wants to opt-out from security that is there, and use http instead of https?

@mattab commented on February 25th 2015 Owner

The problem with detecting it once is that maybe it works today, but in 2 months the SSL will be broken. Redirecting to SSL would break Piwik in this case. But maybe it's acceptable for added security...

@mattab commented on April 28th 2016 Owner
@mattab commented on December 13th 2017 Owner

Instead of detecting and redirecting to SSL, we should rather add a new system check to issue a warning when force_ssl is not used, this will help users work to enable SSL on their Piwik server (updated ticket title)

Powered by GitHub Issue Mirror