[#7928] - Encrypted Login via mod_login doesn't work
- Closed
- 3 Oct 2015
- Medium
- Build: master
- # 7928
You need a Joomla powered website that can be reached via HTTP and HTTPS. Moreover you need the possibility to log in at the frontend (this is e.g. the case with the demo site delivered with Joomla).
Locate the "Login Form" module in the backend and switch "Encrypt Login Form" to "Yes". Save this setting.
Open the frontend via HTTP and scroll down until you reach the login form. Log in with any account allowed to log in at the frontend (the superuser account shall do).
Despite the setting of "Encrypt Login Form" to "Yes" the log in will be done via HTTP and not HTTPS as requested.
If you inspect the HTML source of the frontend pages you'll see that the action attribute of the form markup contains a HTTP URL and not a HTTPS URL as expected. I tested this with SEF on and SEF off setting, this makes no difference.
Up to now I found out that the mod_login module creates the login form in mod_login/tmpl/default.php by calling the JRoute::_() method with the current URL converted into a string as first argument and with the "Encrypt Login Form" flag as third argument.
I located the JRoute::_() method in libraries/joomla/application/route.php, and I see that this method returns the URL passed as first argument without moification if the following condition is true:
!is_array($url) && (strpos($url, '&') !== 0) && (strpos($url, 'index.php') !== 0)
This is the case whenever you pass a complete URL as string to this method as is the case with the login form created by the mod_login module.
I also inspected the logout form in mod_login/tmpl/default_logout.php where the JRoute::_() method is called too. In that case the current URL converted into a string is passed as first parameter too and the "Encrypt Login Form" flag is passed as third argument too.
If that piece of code should lead to switching back from HTTPS used when showing frontend pages after logging in to HTTP pages after the logout this will not work since the JRoute::_() method will return the HTTPS URL unmodified due to the same reason as for the login case.
BTW the "Encrypt Login Form" label is misleading although the tooltip helps in understanding what this setting will do (or better should do). Something like "Log In Via SSL" would be better here I think.
joomdonation
- 
Closing as we have a PR 
@jpangburn can you test there -> #8003 ?
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2015-10-03 08:51:30 |
| Closed_By | ⇒ | zero-24 |
Worked great for me! Thanks!
I tested with following conditions:
- page on HTTP, login on HTTPS, form result was HTTPS
- page on HTTP, login on HTTP, form result was HTTP
- page on HTTPS, login on HTTPS, form result was HTTPS
- page on HTTPS, login on HTTP, form result was HTTPS
I also tested with the whole site set to force SSL and regardless of the login setting, the form was HTTPS.
These scenarios are all correct as far as I can see. Great job, thanks again!
I have the same problem. That button seems to do nothing. If you configure the login form for the Administrator site with that same button, then it works. Viewing the HTTP source you see that even if you opened the page in HTTP, the login link is HTTPS.
But for the regular site module's login, that button is ignored. I ended up forcing the whole site to HTTPS even though I don't really need to protect any content that much other than user's usernames/passwords. This causes the link for login form to also be HTTPS. Would be nice if this button worked so the whole site doesn't have to be HTTPS.