FUDforum: How To » Secure the 2.3.7 version? deadend.

Home » FUDforum » How To » Secure the 2.3.7 version? deadend. (

) 1 Vote

Show: Today's Messages :: Polls :: Message Navigator

Secure the 2.3.7 version? deadend. [message #17603]

Tue, 06 April 2004 16:30

StarLight{PL}

Messages: 22
Registered: March 2003

Karma: 0

Junior Member

At first, I must say I cannot upgrade because of heavy modifications made to the forum and its templates (lack of time). Ok, that aside, here's the problem.

I've tried implementing https:// support in 2.3.7. Did so by starting output buffering in GLOBALS.php and writing a callback function which converts all occurences of http://forum.url/ to https://forum.url/. if $GLOBALS['HTTP_SERVER_VARS']['HTTPS'] is on. So far so good, BUT!

When I try to post a form, let's say it's quicklogin form (but others also, like pm, post a message), I'm being bounced back to http://. This is regardless of form having an "action" attribute pointing to https://.

Well, okay, I thought. There must be some kind of header('Location: command which keeps me bouncing back. So I went and redefined all instances of header('Location: to point to https:// (the ones with the double quotes around "location: also) [joe + macros + good search&replace = not too much work Smile

]. In the include _and_ in the forum directory.

NO AVAIL. STILL KEEPS ME BOUNCED BACK.

Now I'm puzzled.

Any clues why this thing stil bounces me back to http? Has it perhaps something to do with $GLOBALS['returnto']? If yes, then where I can redefine it to sense https over http?

Ilia - any insights appreciated much. For example what's going on when the form (any form) is posted (in the forum ofcourse, not in http Wink

)? I found out that the login & password are sent on a secure connection - but that's it Sad

. There has to be something with the processing of the form. HELP Very Happy

EDIT: I forgot. This also happens when going to 'last post in thread' via the little arrow. Confused

[Updated on: Tue, 06 April 2004 16:37]

Report message to a moderator

Re: Secure the 2.3.7 version? deadend. [message #17606 is a reply to message #17603]

Tue, 06 April 2004 16:54

Ilia

Messages: 13241
Registered: January 2002

Karma: 0

Senior Member
Administrator
Core Developer

The process is much simpler then that Wink

Step #1: you need to open GLOBALS.php inside the include/ directory and replace all instances of http:// with https://
Step #2: login as the admin and rebuild all the themes that are active.

That's it you are done.

FUDforum Core Developer

Report message to a moderator

Odp: Secure the 2.3.7 version? deadend. [message #17616 is a reply to message #17603]

Wed, 07 April 2004 07:57

StarLight{PL}

Messages: 22
Registered: March 2003

Karma: 0

Junior Member

Yep, I've done that in the first place (it was enough to change just WWW_ROOT, as I recall), but we're trying to reduce the workload on the serwer and securing the whole forum would put too much overhead over the poor thing, because it could crash [note: this is *NOT* windows server] Smile

I've all of header('Location: http:...) replaced by a sensing function, but I've not touched the $GLOBALS['returnto']; b ecause I thought they'll be automatically https. I think I was wrong Wink

Any more insights? Smile

greetz / StarLight

Report message to a moderator

Re: Odp: Secure the 2.3.7 version? deadend. [message #17617 is a reply to message #17616]

Wed, 07 April 2004 12:36

Ilia

Messages: 13241
Registered: January 2002

Karma: 0

Senior Member
Administrator
Core Developer

If you rebuild the theme after changing WWW_ROOT it should modify just about all (if not all) instances of http:// with https://

Report message to a moderator

Odp: Secure the 2.3.7 version? deadend. [message #17618 is a reply to message #17603]

Wed, 07 April 2004 14:33

StarLight{PL}

Messages: 22
Registered: March 2003

Karma: 0

Junior Member

Yes, it does that allright... but we want to implement a possibility to choose if the user should go all-secure-way, or over unencrypted connection. Rebuilding etc. - I've been there, what I'm trying to implement (and almost succeeded Wink

) is a functionality to *sense* if the connection is HTTP or HTTPS. I think I'll try and play with those returnto globals. The only thing which puzzles me is i don't know where https is being changed into http. This has to be thorugh some header("Location:, but, as I mentioned I've changed all occurences of Location: http to Location: "._is_secure().":// etc. - so all those redirects are now https-aware. I didn't touch these returnto - I think I should tinker with those to achieve the functionality I want Very Happy

...

greetz & thanks for the great forum package... It's awesome in many ways.

StarLight

Report message to a moderator

Odp: Secure the 2.3.7 version? deadend. - SOLVED [message #17621 is a reply to message #17603]

Wed, 07 April 2004 16:09

StarLight{PL}

Messages: 22
Registered: March 2003

Karma: 0

Junior Member

yahoooooooooo!!!

Ok, I've done it! I've modified every reference to header("Location {ROOT}, and also to Location: GLOBALS('returnto') [the later did the trick for login but not much else]...

now my forum has http sensing... in a hacked way, but... Very Happy

dum di dum humm humm...

I consider this topic RESOLVED Very Happy

greetz and thanks anyway Ilia, and keep up the good work (although I do not like the cluttered new layout much Twisted Evil

)

StarLight

Report message to a moderator

Previous Topic:	Display answer of a special member
Next Topic:	probleme with ID in egroupware / FUD

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Thu Nov 21 19:40:15 GMT 2024

Total time taken to generate the page: 0.02162 seconds