[#9583] - Force SSL option should check for actual SSL certificate to prevent lockout
- Closed
- 25 Mar 2016
- Medium
- Build: 3.5.0
- # 9583
Steps to reproduce the issue
Enable the new J3.5 option "Force SSL" to "Entire Site" found in:
administrator > global configurations > server > server settings
Remove SSL from your site. You will suddenly be locked out of your site completely (even with adding browser exceptions). This is due to Joomla attempting to force your site to use https even when SSL is non existent.
Proposal
When Joomla cannot detect an SSL certificate, forcing the site to be completely inaccessible is not an ideal situation. As a result a check should be created that checks for the certificate before forcing SSL.
Why I can into this scenario
I was having issues logging in/logging out into Joomla 3.5 which was related to PHP 7.0.4, I think PHP 7.0.3 worked just fine. So I wanted to see if SSL had any affect on this. While testing I forgot to switch the admin option to remove forcing SSL. Next thing I know, I'm locked out of my site completely (server side).
Votes
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2016-03-25 07:15:53 |
| Closed_By | ⇒ | roland-d |
@JoshuaLewis You mention this is a new option in J3.5 but that is not the case. The option to "Force SSL" for the "Entire Site" has been in Joomla at least since 1.5.
However I can reproduce the issue you are mentioning and have created PR #9584 to fix this. Please test the PR so we can get it into Joomla.
Closing this issue as we have a PR now. Thanks.