Hi.

I'll test this today afternoon and let you know.

-AJ

This comment was created with the J!Tracker Application at http://issues.joomla.org/.

Hi,

I can confirm this issue in Joomla 3.3.3, but not in Joomla 3.2.3. The credentials of the logged in user can be seen in plain text when logging in.

Full steps to reproduce:

1) Force SSL (w/ cert properly installed) site-wide or frontend.
2) Set user login module 'Encrypt Login Form' to >> 'Yes'
3) Reload the frontend, and attempt to log into In a full SSL site, the site via the user login module.
4) Run a packet sniffer, filter HTTP requests only, and check that the POST request is sent over plain HTTP.

-AJ

This comment was created with the J!Tracker Application at http://issues.joomla.org/.

In the file libraries/joomla/application/route.php:85, setting (int) $ssl === 1 instead of $ssl === 1 solves the issue.

This is because the parameter $ssl in the function JRouter::_() is passed as an string, and the comparison is performed type-safe against an integer.

I've diffed the route.php files between Joomla version 3.2.3 and version 3.3.3, and the difference is clear. Version 3.2.3 does it well.

(Joomla v3.2.3) libraries/joomla/application/route.php:88
$scheme = ((int) $ssl === 1) ? 'https' : 'http';
vs.
(Joomla v3.3.3) libraries/joomla/application/route.php:85
$uri->setScheme(($ssl === 1 || $uri->isSSL()) ? 'https' : 'http');

I see this issue has been solved in branch 3.4-dev, but users upgrading to 3.3.3 from the 3.2.3 backend (when clicking on the blue button over red rectangle) are still getting the bug (at least at Sep 01, 2014, 22:30 UTC+2). I haven't tested this issue in a fresh Joomla 3.3.3 install.

This comment was created with the J!Tracker Application at http://issues.joomla.org/.

Looks like it's fixed already in staging, so this will be included in the next release.
See 0b958aa