?
avatar creativeprogramming
creativeprogramming
31 Oct 2014

To reproduce:

0) Ensure your .htaccess/webserver is NOT doing http to https redirection
1) Enable "Force-SSL" (whole site) in your Joomla system configuration (on an HTTPS capable joomla instance of course)
2) Go to your website frontend in HTTPS and log in
3) Open your site in plain http
4) You get back redirected to SSL but.... session is lost you're logged out

This can be a nasty issue, as users may have bookmarked some http links, external links, and also it happens if they open another tab and they rely to the browser address bar suggestion (if it's stored as plain http).


THIS ISSUE IS SOLVED IF YOU LET THE WEBSERVER HANDLE THE HTTP TO HTTPS REDIRECT

So it's 100% a Joomla issue. Maybe the redirect is not called before any session handling code and the session.php as cannot find a session cookie when is hit in https due to the "secure cookie" finds the user as guest and does some JSession initiation (session_destroy?) that destroies any existing https session, then it redirect the user back to https but with session lost

See:

https://github.com/joomla/joomla-cms/blob/ac589fd45aaa88a5e9d972cacceec083cb4c754b/libraries/joomla/session/session.php#L814

This is good, but it's related to the issue, JSession should be fixed to avioid clearing on session initiation or the ForceSSL should be implemented in a way no other code is called but just the redirect!

Best Regards,
Stefano

avatar creativeprogramming creativeprogramming - open - 31 Oct 2014
avatar jissues-bot jissues-bot - change - 31 Oct 2014
Labels Added: ?
avatar vdespa vdespa - change - 13 Nov 2014
Category Authentication Libraries
avatar spwilson806
spwilson806 - comment - 10 Feb 2015

I can confirm running into this problem as well (following the same procedure as described above). It appears that the HTTP->HTTPS redirect happens during routing, after session handling/creation occurs. If a user initially logs in while force_ssl is enabled, they receive a secure cookie. If they then navigate to a non-HTTPS page, by definition, the cookie is not included in the request. They are then given a new session, overwriting the existing one, prior to the redirect to HTTPS occurring.

avatar smz
smz - comment - 27 Jun 2015

This has a (closed) duplicate in #7138

Although I would work around this in .htaccess, I still view this as a bug: If we want to maintain the "Force-SSL" option, we should have it work, always.

My guts says that we should enforce that option very early, before storing a session cookie.

I'll look into this, but of course I'm not promising anything! :smile:

avatar smz
smz - comment - 27 Jun 2015

@creativeprogramming

What you wrote in #7138 is correct and it is what is now done in JRouterSite::parse() (lines 73-78).

The problem is that at that point the application (CMS) has already been instanced and with it a (new) session has been created.

We should do that before session initialization, but at a point where we can get Joomla! configuration options, and we should also remember that the force_ssl option is available for the backend too...

I'm currently reading the code trying to identify the correct point where to move that check/redirect, but it is not an easy task (not for me, anyway!).

In any case I think that if you want to enforce SSL for both front-end and back-end, the easiest and by far fasted solution is to do that .htaccess (or equivalent) level.

avatar creativeprogramming
creativeprogramming - comment - 30 Jun 2015

Hi @smz, yes i agree that best way is to do this at server-level (.htaccess) and I do that way (I use HSTS not simple redirects).

But the common Joomla user doesn't do that, if they have the Joomla option to enforce SSL they'll use it as it's easier to enable (I work often with other site managers as a freelancer and I see this situation)

If best pratice should be to do that at server level, please simply remove the option to enforce SSL in the Joomla code (maybe keeping hidden legacy support but not presenting the UI control in system settings) or add simply a notice aside it asking to enable it also at webserver side (like it's done for URL rewriting) , providing a - commented - example in the default .htaccess

avatar brianteeman
brianteeman - comment - 8 May 2016

Closing as it is the expected behaviour that switching between http and https it is a new session


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/4960.

avatar brianteeman brianteeman - change - 8 May 2016
Status New Closed
Closed_Date 0000-00-00 00:00:00 2016-05-08 15:44:52
Closed_By brianteeman
avatar brianteeman brianteeman - close - 8 May 2016

Add a Comment

Login with GitHub to post a comment