Hi there I have a problem which I'm sure must be easy to fix and that others have had. I just can't find anything in the threads or maybe I'm looking over it. I have a site with amember protecting a directory with a PHP application. From the main Index HTML file I have a link to this app: https://www.domain.com/control/Login.php Now amember kicks in and want to protect the directory and ask for a password. Rightly so. BUT, the URL is now: http://www.domain.com/amember/plugins/protect/new_rewrite/login.php?v=-1&url=/control/Login.php NOTE: the https changed to http. So the enter of password etc is not secured. Then you type in the password and the app is the also without the https. If I then go back to the HTML file and click on the link again, then it becomes https. (As the link dictates) In the configuration of amember (in admin), I have the Secure Root URL set to https and the normal URL to http: What else do I have to do? As far as I'm concerned it should stay https al the way through. BTW, it doesn't matter wether the current URL is http: or https: when I click on that link, the amember login page comes up with http: If I manually change it to https:, it still works, but fo course it should work with the link as well. Any ideas? thanks Paul
Workaround for this issue I found the best solution to force ssl via .htaccess. You can use the following in your amember root directory .htaccess file: Code: RewriteEngine On RewriteCond %{SERVER_PORT} 80 RewriteCond %{REQUEST_URI} amember RewriteRule ^(.*)$ https://www.yoursite.com/amember/$1 [R,L] Change the yoursite.com in the rewrite rule to your actual site url. The only issue is that it will break your cronjob for cron.php. My solution was to create a directory under my amember directory, say /cron and copy cron.php to that directory. Then turn of mod_rewrite in that directory by adding a .htaccess file to the cron directory with the following in it: Code: RewriteEngine off Finally, edit cron.php that you copied to the new cron subdirectory, fixing the path to the configuration file. You need to change: PHP: require '.config.inc.php'; to PHP: require '../config.inc.php'; That will force SSL for all amember pages and keep your external cron happy. Good luck!
Most excellent hack michael_s. I have been working for a half a day to solve this problem, that is to use the SSL with the sign-up form page, not just on the login page. The hack does not show that it is going to use the SSL on the bottom navigation field of the browser (Firefox in my case), but as soon as the sign-up page loads, it uses the secure socket layer, without any of the normal *.php or *.html pages affected. Neat! I haven't tried the cron hack yet, but I will when the time comes. Thank you for sharing your code.
Still working? Hi Crockett, Is this hack still working for you? Did you implement the cron hack? Thanks much for any info you can share.
Applying this method to payment gateway postback I tried this method, but broke my payment gateway postback. Is there anyway to apply the cron trick to a file to fix the postback functionality? Perhaps if I put a .htaccess Code: RewriteEngine off in the folder /plugins/payment/1shoppingcart Thanks sl
I think Alex should look at this issue, and fix it once for all. I have another issue. I always access amember/admin folder via https. Previously, every link in admin panel was https if I accessed the admin area from an HTTPS url but now in v3.1.4 most of the links in admin panel (left frame) use http urls, and clicking on those links takes you to insecure http mode. I had to edit the menu.php file (I think) and forced all urls to always use HTTPS.
I created a smarty template file called smarty_force_ssl.html and I include it on template files that I want secured with ssl. Its working fine with signup.php and profile.php Any feedback/ criticism / suggestions are appreciated. NOTE: - I have NOT tried it with the login.html template page. - I am using this code on a Beta site... throughly test before putting into a production server. - This code also adds www to the URL (for our ssl cert) include line: Code: {include file="smarty_force_ssl.html"} smarty_force_ssl.html template: PHP: {php}//This customization ensures that SignUps / Profile edits happen in SSL //and the url is www to match our SSL cert$workingserver = $_SERVER['SERVER_NAME'];$w3 = substr($workingserver,0,3);if ($w3 != "www" ){ $newurl = "https://www.".$_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"]; header("location:$newurl"); }elseif ($_SERVER["HTTPS"] != "on"){ $newurl = "https://" . $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"]; header("location: $newurl"); } // END SSL WWW Customization{/php}
I used Code: RewriteEngine On RewriteCond %{SERVER_PORT} !443 RewriteRule (.*) https://www.domain.com/ [R] then I just added the s to http in the cron job and it works just fine. https://www.yoursite.com/amember/cron.php you can also do this for post backs To fix the post back just login to your payment processor and change the post back link by adding the S to http. If the request is already using port 443 (ssl) it will not rewrite it and allow it to pass through. Example: https://www.domain.com/amember/signup.php - will show as a direct request If the request the same page with out using port 443 (ssl) it will redirect them to https://www.domain.com/ or https://www.domain.com/amember (respectively if you only have the .htaccess in the amember folder) What this does it changes the entire site to use the SSL. I put amember in the root of it all and I am built my website around that. So all logins and signups are using SSL no matter what. Since most of us like to have a login on the main page this is the only way to have it secured by SSL from the entire login process. if you just want the amember directory to use it change the code to this and then place the .htaccess file into the amember directory Code: RewriteEngine On RewriteCond %{SERVER_PORT} !443 RewriteRule (.*) https://www.domain.com/amember [R] hope this is a little easier to follow