HTTPS and session / cookies

bebr · Post by **bebr** » Fri May 04, 2007 2:17 pm

Hello,
using SY 1.1.2 I have just activated https on my domain - and found that it is not possible to log out of a https-session - only by manually changing to http.

My worklflow is like this:
- Starting from http://myblog.de I click on "Login" that I activated with a sidebar plugin with "https-Login [x]" activated.
- Login on https://myblog.de/ which leads me to https://myblog.de/serendipity_admin.php?...
- Changing some entries or settings, clicking "Logout", then "Back to the Blog"
- https://myblog.de appears and offers me the "administration" Link for logged users
- Only by deleting the cookie manually in the browser can I ever see the "Login" Link on https://myblog.de again

I read that SY 1.2beta has some "new HTTP / HTTPS session sharing system" - will this fix it?

Thanks for hints
// Bernd

Post by **garvinhicking** » Fri May 04, 2007 2:38 pm

Hi!

Can you see if the "logout" link leads to the http:// or the https:// URL?

S9y 1.2 has a completely rewritten https management, so I'd ask you to try this on a temporary installation? This would help us a lot.

Regards,
Garvin

bebr · Post by **bebr** » Fri May 04, 2007 3:32 pm

garvinhicking wrote:Can you see if the "logout" link leads to the http:// or the https:// URL?

https - precisely:
https://myblog.vom/serendipity_admin.ph ... le]=logout

S9y 1.2 has a completely rewritten https management, so I'd ask you to try this on a temporary installation?

After several days on the shell I would love to concentrate on the contents now. If it's just a patch, ok, but a whole new installation ..
The issue is not that obstructive at the moment .. I'd rather wait for 1.2 release if it's not that far away.

Post by **garvinhicking** » Fri May 04, 2007 4:25 pm

Hi!

Of course you could upgrade your existing s9y installation, but to test something if it works, a parallel installation would be much more easier. This can be installed in a matter of 1-2 minutes.

There is no simple patch that you can apply, because the HTTPS-changed concept touches many areas.

The sad thing is that without people like you who need https are testing the stuff, we might release a 1.2 version where it does not work for people like you. The more testers, the more likely we can catch all situations and setups so that it works for everyone. If all people waited for a release, no one would ever test what we develop. And in open source it's always possible that the main developer only focusses at his own needs, and might not have other usage scenarios in mind.

Actually, the less testing we get, the later the 1.2 release will happen.

Regards,
Garvin

bebr · Post by **bebr** » Fri May 04, 2007 10:15 pm

Hmm, 2 minutes sounded good at first.
But, I configured it for the same database as the 1.1.2 install - which produced a number of SQL errors, so I used a new DB.

Now it showed the same error at first - no https logout.
But after deleting the (old and new) cookies the https-logout works.

So 1.2-alpha4 seems to be okay regarding this issue.

Oh, a little feature request remains: Options to allow/force https or http independently for the Blog and the Admin-UI.
This for example would force https for Admin and http for the Blog:

Code: Select all

      http    https
Blog   x
Admin          x

.. and all 9 combinations (with at least one x per line) should be possible.
Could be realized with php code (checking port 443) or .htaccess, IMHO.

Post by **garvinhicking** » Mon May 07, 2007 9:24 am

Hi!

With that setting, what do you want to achieve? That no one can access your blog via HTTPS if you configured the frontend to use HTTP? I consider that to be a great restriction, IMHO the user should always be able to choose http/https on his own?

Regards,
Garvin

bebr · Post by **bebr** » Mon May 07, 2007 5:53 pm

Hi,
https drains CPU ressources more than PHP - so _if_ you have a highly frequented site (or time-of-day or project deadline etc) that brings the server to its limits the choice for the admin to turn off https for readers would make the site accessible for all (and keep https for authors).

Greetings
// Bernd

Post by **garvinhicking** » Tue May 08, 2007 9:46 am

Hi!

Hm, I believe with a simple mod_rewrite rule, maybe checking some cookie vaiables, you could come up with fixed https redirection?

Developing the feature to seperate those two and adding redirection features into Serendipity would also be a nice thing, but for me it's quite low-priority. If you want you could file a feature request on http://www.sf.net/projects/php-blog ?

Regards,
Garvin

bebr · Post by **bebr** » Tue May 08, 2007 6:58 pm

garvinhicking wrote:Developing the feature to seperate those two and adding redirection features .. for me it's quite low-priority.

Understood.
I chose Sy in the first place because it was the only blog to support PostgreSQL, maybe features like the above could help to sharpen its profile as a security-aware thing.

Anyhow, I did not regret having chosen Sy - and thanks a lot for the good work so far.

Post by **garvinhicking** » Wed May 09, 2007 11:49 am

Hi!

I fully understand...and I'd love to develop into that direction, but could need a little developer help on that. I'm quite swamped with (paid) work and support on these forums as well as fixing bugs, so I have little time for new features at this time. This will change again later this year, but it's nothing I can easily draw from my hat.

So anyone who feels like joining the development team, I'd love to have that.

Best regards,
Garvin

HTTPS and session / cookies

HTTPS and session / cookies

Re: HTTPS and session / cookies

Re: HTTPS and session / cookies

Re: HTTPS and session / cookies