I have been looking and do not see any setting for SSL activation.
Any tips on where to hack in to rewrite the header for https:// ?
Yeah, this seems like a ratehr gaping security hole. I don't want to force all visitors to use ssl, but I'd like the registration and login forms to be submitted over https, but the form's just submit over the originating protocol, so if the visitor comes in using http, their password will be sent in the clear!
Piwigo works fine over SSL (HTTPS) but it's not an "embedded" feature, it's more like a feature related to your hosting provider.
Offline
To configure SSL for website
Complete the following steps:
1 In Internet Explorer, go to Tools -> Internet Options.
2 Click on the Advanced tab and scroll to the bottom of the screen.
3 Place a checkmark in the boxes next to:
* Use SSL 2.0
* Use SSL 3.0
4 Click Apply.
5 Click OK.
6 Refresh your window by clicking Refresh or by pressing F5.
Mozilla Firefox
1. Go to Tools -> Options.
2 Click Advanced.
3 Go to the Encryption Tab.
4 Check the box next to Use SSL 3.0.
5 Click OK.
6 Refresh your window by clicking Refresh or by pressing F5.
Offline
No
you are answering how to use a secure connexion on the visitor side, if the website has one. But here, it's more about to enable a secure conection on the server side, and it's up to the server : if it's a shared server, it's up to the hoster
Offline
Hi everyone, especially the piwigo team,
I want to bring this item back on the table. Of course, Piwigo runs fine over https, that is not the question. But we that is not what most people want.
What would be nice is a feature that normal visitors browse over http, while if you login or doing admin stuff, https is used.
Wordpress has a similar feature, see http://codex.wordpress.org/Administration_Over_SSL which redirects one automatically to https when logging in and all the admin stuff (separate settings).
This is a feature that I consider of great importance.
I looked into the source accoring to the work around mentioned in http://piwigo.org/bugs/print_bug_page.php?bug_id=2689, but the code has changed and now uses get_root_url function. Maybe it is enough to make some changes there to switch to https scheme as soon as one tries to login and/or administer.
Thanks for reconsidering this item
Norbert
Offline
Hi everyone,
I've developped the missing feature (I needed it !).
I've called the plugin "Force HTTPS", and you can find it in the Piwigo extensions directory : http://piwigo.org/ext/extension_view.php?eid=697
Offline
Hi,
bonhommedeneige wrote:
I've called the plugin "Force HTTPS"
that is already a nice step forward, but I would like to have HTTPS only for admins, registered users, and maybe only for the login process, but not for the actual browsing.
Do you think that this is doable in your plugin?
I checked the code a bit and it seems that you just give a redirect header, which is ok, but not optimal for differentiation.
Anyway, thanks first of all for your work on that and the nice plugin.
Norbert
Offline
Hi,
I'll check if we can catch the current page or process while browsing.
I think it should not really be an issue. The only thing is that in that particular case, STS could not be activated.
I'll keep you in touch if I succeed.
bonhommedeneige
Offline
Try using mod_rewrite to force the administration.php file to be redirected to HTTPS. This forces the login process to be encrypted, but lets people browse without SSL.
SSL wrote:
Try using mod_rewrite to force the administration.php file to be redirected to HTTPS. This forces the login process to be encrypted, but lets people browse without SSL.
Interesting idea, but that is incomplete. First, the quick connect submit form is going to identification.php which need to be caught. I am not concerned about browsing in admin mode. What is a pain, what I don't want, is sending my password, esp. the admin password, unencrypted over the internet.
So I guess I have to rewrite identification.php, but I am not sure if this is enough.
Norbert
Offline
Hello ;
trying to make the https in my piwigo page i downloaded the plugin "force https" but don't know how to make it work ?!
Any help Guys ? : )