?
Referenced as Pull Request for: # 8003
avatar jo-sf
jo-sf
22 Sep 2015

You need a Joomla powered website that can be reached via HTTP and HTTPS. Moreover you need the possibility to log in at the frontend (this is e.g. the case with the demo site delivered with Joomla).

Locate the "Login Form" module in the backend and switch "Encrypt Login Form" to "Yes". Save this setting.

Open the frontend via HTTP and scroll down until you reach the login form. Log in with any account allowed to log in at the frontend (the superuser account shall do).

Despite the setting of "Encrypt Login Form" to "Yes" the log in will be done via HTTP and not HTTPS as requested.

If you inspect the HTML source of the frontend pages you'll see that the action attribute of the form markup contains a HTTP URL and not a HTTPS URL as expected. I tested this with SEF on and SEF off setting, this makes no difference.

Up to now I found out that the mod_login module creates the login form in mod_login/tmpl/default.php by calling the JRoute::_() method with the current URL converted into a string as first argument and with the "Encrypt Login Form" flag as third argument.

I located the JRoute::_() method in libraries/joomla/application/route.php, and I see that this method returns the URL passed as first argument without moification if the following condition is true:

!is_array($url) && (strpos($url, '&') !== 0) && (strpos($url, 'index.php') !== 0)

This is the case whenever you pass a complete URL as string to this method as is the case with the login form created by the mod_login module.

I also inspected the logout form in mod_login/tmpl/default_logout.php where the JRoute::_() method is called too. In that case the current URL converted into a string is passed as first parameter too and the "Encrypt Login Form" flag is passed as third argument too.

If that piece of code should lead to switching back from HTTPS used when showing frontend pages after logging in to HTTP pages after the logout this will not work since the JRoute::_() method will return the HTTPS URL unmodified due to the same reason as for the login case.

BTW the "Encrypt Login Form" label is misleading although the tooltip helps in understanding what this setting will do (or better should do). Something like "Log In Via SSL" would be better here I think.

avatar jo-sf jo-sf - open - 22 Sep 2015
avatar jpangburn
jpangburn - comment - 2 Oct 2015

I have the same problem. That button seems to do nothing. If you configure the login form for the Administrator site with that same button, then it works. Viewing the HTTP source you see that even if you opened the page in HTTP, the login link is HTTPS.

But for the regular site module's login, that button is ignored. I ended up forcing the whole site to HTTPS even though I don't really need to protect any content that much other than user's usernames/passwords. This causes the link for login form to also be HTTPS. Would be nice if this button worked so the whole site doesn't have to be HTTPS.

avatar joomdonation joomdonation - reference | 6cb9de8 - 3 Oct 15
avatar joomdonation
joomdonation - comment - 3 Oct 2015

I made a small PR #8003 to fix this issue. Please test it when you have time so that we can have the issue fixed.

avatar zero-24
zero-24 - comment - 3 Oct 2015

Closing as we have a PR :smile: @jpangburn can you test there -> #8003 ?

avatar zero-24 zero-24 - change - 3 Oct 2015
Status New Closed
Closed_Date 0000-00-00 00:00:00 2015-10-03 08:51:30
Closed_By zero-24
avatar zero-24 zero-24 - close - 3 Oct 2015
avatar zero-24 zero-24 - close - 3 Oct 2015
avatar jpangburn
jpangburn - comment - 4 Oct 2015

Worked great for me! Thanks!

I tested with following conditions:

  • page on HTTP, login on HTTPS, form result was HTTPS
  • page on HTTP, login on HTTP, form result was HTTP
  • page on HTTPS, login on HTTPS, form result was HTTPS
  • page on HTTPS, login on HTTP, form result was HTTPS

I also tested with the whole site set to force SSL and regardless of the login setting, the form was HTTPS.

These scenarios are all correct as far as I can see. Great job, thanks again!

Add a Comment

Login with GitHub to post a comment