Announcement

  •  » Extensions
  •  » [Force HTTPS] questions about code and "login only" feature

#1 2016-08-26 19:41:16

plg
Piwigo Team
Nantes, France, Europe
2002-04-05
13171

[Force HTTPS] questions about code and "login only" feature

Hello bonhommedeneige,

I'm currently working on HTTPS related subjects. Of course I'm trying [extension by bonhommedeneige] Force HTTPS in depth. I have a few questions :-)

* what is the directory PHPWG_ROOT_PATH.PWG_LOCAL_DIR.'piwigo-force-https' about? (it looks like useless code to me)

* now that you use maintain.class.php you no longer need your function piwigo_force_https_init() in main.inc.php

* this is far too complicated:

Code:

$use_https = isset($conf['fhp_use_https']) ? piwigo_force_https_strbool($conf['fhp_use_https']) : 'false';
if ($use_https == 'true') {

you can write this instead:

Code:

if ($conf['fhp_use_https'])
{

(Piwigo alread converts config values like (string)"true" to (bool)true and at this level in the code, you should be sure $conf['fhp_use_https'] is already set.

* what do you think about a simpler option "use HTTPS for log in and following pages" ? This idea is to allow HTTP browsing, but force HTTPS force log in.


Latest blog post (May 3rd 2018) New subscription form

Offline

 

#2 2017-11-08 00:45:24

bonhommedeneige
Member
France
2013-05-03
29

Re: [Force HTTPS] questions about code and "login only" feature

Hello plg
At first, sorry for replying to your message more than one year later (didn't see the notification to be honest), and thank you for the comments / suggestions.
I've enhanced the code and the way to handle the configuration, it is I think much simpler now.
The new version also embeds new options, from which the possiblities to enable HTTPS only for :
- identification (identification, register, and user preferences)
- admin pages
New options also so that one can customize the values of the redirect code (as requested here http://piwigo.org/forum/viewtopic.php?id=27012) and the HSTS max-age value (which by default is now 6 months instead of 300 seconds)

Arnaud (bonhommedeneige)

Last edited by bonhommedeneige (2017-11-08 00:45:56)

Offline

 
  •  » Extensions
  •  » [Force HTTPS] questions about code and "login only" feature

Board footer

Powered by FluxBB

github twitter facebook google+ newsletter Donate Piwigo.org © 2002-2018 · Contact