?
avatar ionutlupu
ionutlupu
8 Jun 2015

Steps to reproduce the issue

Global Configuration -> Server -> Force SSL -> Entire site
In the front-end you are now using https. Login. You are now logged in.
Delete (s) from https to acess same page using http. Enter.

Expected result

Redirect from http -> to https, and on the https connection to be logged in.

Actual result

Redirect is happening but on https you appear as logged out. Same result also if tested in back-end.

System information (as much as possible)

Joomla 3.4.1
Php 5.6.9

Additional comments

Issue reported here: http://forum.joomla.org/viewtopic.php?f=706&t=889388

From my observation the value for the session cookie is changed when using http, so when the user is redirected back to https he appears as logged out.

Votes

# of Users Experiencing Issue
1/1
Average Importance Score
1.00

avatar ionutlupu ionutlupu - open - 8 Jun 2015
avatar joomla-cms-bot joomla-cms-bot - change - 8 Jun 2015
Build 3.4.1 staging
avatar joomla-cms-bot joomla-cms-bot - change - 8 Jun 2015
Labels Added: ?
avatar smz
smz - comment - 8 Jun 2015

my guess is that when you go to the http site a new non-secure session cookie is set-up before you're redirected to the https site by the router in JRouterSite::parse(). This overwrite the secure cookie you had generated at login time.

Even if I'm right I'm unsure how to fix this...

avatar BuddhiEash
BuddhiEash - comment - 9 Jun 2015

I tried to reproduce this issue in localhost.But once i changed SSL settings in Global configuration i'm getting "Your connection is not private" message there.I tested on both chrome and firefox.Got the same message.Sometimes it can be because of localhost.But i'm not sure.Anyway i couldn't access both frontend and backend.I searched this on joomla forum and got a similar issue to this: http://forum.joomla.org/viewtopic.php?t=861231


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/7138.

avatar smz
smz - comment - 9 Jun 2015

@BuddhiEash Activating that option in Joomla is not enough to have an SSL (TLS) connection: you must first activate that at the HTTP server level (Apache, Nginx, or whatever...)

avatar BuddhiEash
BuddhiEash - comment - 9 Jun 2015

@smz : Ok.I know how to do that but i couldn't enable apache ssl module :smile: So i'll enable it and test.Thanks for reminding me that.


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/7138.

avatar smz
smz - comment - 9 Jun 2015

... and of course you need a certificate (even a self-signed one created using OpenSSL) to activate the Apache SSL module.

avatar BuddhiEash
BuddhiEash - comment - 9 Jun 2015

@smz : yes i'll try to get a one and activate apache ssl module.But at the moment i'm in a windows environment with xampp.My linux machine is not available at the moment.So do you think i'll be able to do this with xampp?


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/7138.

avatar smz
smz - comment - 9 Jun 2015

@BuddhiEash TBH I never tried myself, but in theory there should be no problem:
Download OpenSSL for Windows from https://www.openssl.org/related/binaries.html and use it to create your self-signed certificate.

There are instructions (amongst other places) here:
http://www.fastinfo.com.au/self-signed-certificate-ssl-on-xampp/

... or try Google:
https://www.google.com/search?q=xampp+ssl+self-signed+certificate&ie=utf-8&oe=utf-8&hl=en

avatar BuddhiEash
BuddhiEash - comment - 9 Jun 2015

@smanzi : Thanks.I'll check them.


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/7138.

avatar BuddhiEash
BuddhiEash - comment - 10 Jun 2015

I tested this and i can confirm the issue.But i like to add some more to the reproducing steps.Once enabled SSL in Joomla global configuration, user should logged out from the back-end.If didn't logged out from the back-end, this issue not occurs.At that point both front-end and back-end work as expect with 'https'.I think some session thing causes for that.


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/7138.

avatar brianteeman
brianteeman - comment - 10 Jun 2015

Really can't help but think this is the expected behaviour when you switch
from a web site at https to a web site at http etc.

Potentially they are different web sites so I would expect a login not to
be maintained when you switch.
On 10 Jun 2015 17:38, "Buddhi" notifications@github.com wrote:

I tested this and i can confirm the issue.But i like to add some more to
the reproducing steps.Once enabled SSL in Joomla global configuration, user
should logged out from the back-end.If didn't logged out from the back-end,
this issue not occurs.At that point both front-end and back-end work as

expect with 'https'.I think some session thing causes for that.

This comment was created with the J!Tracker Application
https://github.com/joomla/jissues at issues.joomla.org/joomla-cms/7138
http://issues.joomla.org/tracker/joomla-cms/7138.


Reply to this email directly or view it on GitHub
#7138 (comment).

avatar BuddhiEash
BuddhiEash - comment - 10 Jun 2015

@brianteeman : Yes i'm agree with that.Normally if a website has enabled ssl,me too don't think users will try to access it without ssl.


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/7138.

avatar BuddhiEash
BuddhiEash - comment - 10 Jun 2015

@brianteeman : Yes i'm agree with that.Normally if a website has enabled ssl,me too don't think users will try to access it without ssl.


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/7138.

avatar brianteeman
brianteeman - comment - 19 Jun 2015

I am closing this at this time as expected behaviour


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/7138.

avatar brianteeman brianteeman - change - 19 Jun 2015
Status New Expected Behaviour
Closed_Date 0000-00-00 00:00:00 2015-06-19 08:30:05
Closed_By brianteeman
avatar brianteeman brianteeman - change - 19 Jun 2015
Build master staging
avatar brianteeman brianteeman - close - 19 Jun 2015
avatar smz
smz - comment - 19 Jun 2015

hhmmm... I'm not totally convinced this can be considered "normal" behavior: If you do the same forcing at .htaccess level you wouldn't have this issue (I guess, not tested), so I think we could leave this open, maybe at a very low priority, and see if we can figure out a solution...

avatar creativeprogramming
creativeprogramming - comment - 27 Jun 2015

Yes i'm agree with that.Normally if a website has enabled ssl,me too don't think users will try to >access it without ssl.

They will instead. I.e. following a link hardcoded in and old article, imagine that the site wasn't born with https but switched to it someday, or simply typing the site address without https in a new tab to get the homepage, or if they have a bookmark to the non-ssl link or external referrals that use non-ssl link etc...

avatar creativeprogramming
creativeprogramming - comment - 27 Jun 2015

The solution is simply calling the redirect to ssl, flushing the header("location: ..") and closing, very before in the Joomla application code, e.g. in index.php before any session handling code is invoked so there will be no cookie check and no session overriding

avatar smz
smz - comment - 27 Jun 2015

@creativeprogramming Hi Stefano! I think it is probably better if we continue the discussion in #4960, as this has been closed...

Add a Comment

Login with GitHub to post a comment