my guess is that when you go to the http site a new non-secure session cookie is set-up before you're redirected to the https site by the router in JRouterSite::parse(). This overwrite the secure cookie you had generated at login time.

Even if I'm right I'm unsure how to fix this...

I tried to reproduce this issue in localhost.But once i changed SSL settings in Global configuration i'm getting "Your connection is not private" message there.I tested on both chrome and firefox.Got the same message.Sometimes it can be because of localhost.But i'm not sure.Anyway i couldn't access both frontend and backend.I searched this on joomla forum and got a similar issue to this: http://forum.joomla.org/viewtopic.php?t=861231

@BuddhiEash Activating that option in Joomla is not enough to have an SSL (TLS) connection: you must first activate that at the HTTP server level (Apache, Nginx, or whatever...)

@smz : Ok.I know how to do that but i couldn't enable apache ssl module So i'll enable it and test.Thanks for reminding me that.

... and of course you need a certificate (even a self-signed one created using OpenSSL) to activate the Apache SSL module.

@smz : yes i'll try to get a one and activate apache ssl module.But at the moment i'm in a windows environment with xampp.My linux machine is not available at the moment.So do you think i'll be able to do this with xampp?

@BuddhiEash TBH I never tried myself, but in theory there should be no problem:
Download OpenSSL for Windows from https://www.openssl.org/related/binaries.html and use it to create your self-signed certificate.

There are instructions (amongst other places) here:
http://www.fastinfo.com.au/self-signed-certificate-ssl-on-xampp/

... or try Google:
https://www.google.com/search?q=xampp+ssl+self-signed+certificate&ie=utf-8&oe=utf-8&hl=en

@smanzi : Thanks.I'll check them.

I tested this and i can confirm the issue.But i like to add some more to the reproducing steps.Once enabled SSL in Joomla global configuration, user should logged out from the back-end.If didn't logged out from the back-end, this issue not occurs.At that point both front-end and back-end work as expect with 'https'.I think some session thing causes for that.

Really can't help but think this is the expected behaviour when you switch
from a web site at https to a web site at http etc.

Potentially they are different web sites so I would expect a login not to
be maintained when you switch.
On 10 Jun 2015 17:38, "Buddhi" notifications@github.com wrote:

I tested this and i can confirm the issue.But i like to add some more to
the reproducing steps.Once enabled SSL in Joomla global configuration, user
should logged out from the back-end.If didn't logged out from the back-end,
this issue not occurs.At that point both front-end and back-end work as

expect with 'https'.I think some session thing causes for that.

This comment was created with the J!Tracker Application
https://github.com/joomla/jissues at issues.joomla.org/joomla-cms/7138
http://issues.joomla.org/tracker/joomla-cms/7138.

—
Reply to this email directly or view it on GitHub
#7138 (comment).

@brianteeman : Yes i'm agree with that.Normally if a website has enabled ssl,me too don't think users will try to access it without ssl.

@brianteeman : Yes i'm agree with that.Normally if a website has enabled ssl,me too don't think users will try to access it without ssl.

I am closing this at this time as expected behaviour

hhmmm... I'm not totally convinced this can be considered "normal" behavior: If you do the same forcing at .htaccess level you wouldn't have this issue (I guess, not tested), so I think we could leave this open, maybe at a very low priority, and see if we can figure out a solution...

Yes i'm agree with that.Normally if a website has enabled ssl,me too don't think users will try to >access it without ssl.

They will instead. I.e. following a link hardcoded in and old article, imagine that the site wasn't born with https but switched to it someday, or simply typing the site address without https in a new tab to get the homepage, or if they have a bookmark to the non-ssl link or external referrals that use non-ssl link etc...

The solution is simply calling the redirect to ssl, flushing the header("location: ..") and closing, very before in the Joomla application code, e.g. in index.php before any session handling code is invoked so there will be no cookie check and no session overriding

@creativeprogramming Hi Stefano! I think it is probably better if we continue the discussion in #4960, as this has been closed...