SSL for login only?

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
BenPollinger
Registered User
Posts: 13
Joined: Sun Feb 02, 2003 2:01 pm
Location: Leeds
Contact:

SSL for login only?

Post by BenPollinger » Wed Jan 25, 2006 9:30 pm

Hello all,

I'm trying out SSL on my site with phpBB 2.0.19

Is it possble to login over SSL but otherwise use normal http?

I set the cookie to secure which directed to https://server/phpbb/login.php but on my host, https points to a different directory structure to http. The host is 34sp.com who use Plesk, and my subdomain has httpdocs and httpsdocs as seperate trees. Since I installed phpbb in the http section only, phpbb redirects to a non-existent page on login.

I could run the whole thing over SSL but I gues that might slow things down a bit at busy times, and would be overkill. Secure login would be enough.

This post seems to be saying the same thing:
http://www.phpbb.com/phpBB/viewtopic.php?t=334463

Am i missing something? Any pointers welcome.

thanks,
Ben

espicom
Registered User
Posts: 17905
Joined: Wed Dec 22, 2004 1:14 am
Location: Woodstock, IL

Post by espicom » Thu Jan 26, 2006 3:42 am

You would have to do a MOD for that. And browsers will treat them as separate forums, so cookies wouldn't work right.

There would be little point; if you're going through the trouble of setting up SSL (with certificates and everything and a dedicated IP), go SSL all the way.
Jeff
Fixing 1016/1030/1034 Errors | (obsolete link) | MySQL 4.1/5.x Client Error | phpBBv2 Logo in ACP
Support requests via PM are ignored!
"To be fully alive is to feel that everything is possible." - Eric Hoffer

User avatar
Lumpy Burgertushie
Registered User
Posts: 66897
Joined: Mon May 02, 2005 3:11 am
Contact:

Post by Lumpy Burgertushie » Thu Jan 26, 2006 4:05 am

like espicom said, you can't just "decide" that you want to use SSL. you have to purchase and install a certificate, then your server has to be setup correctly, etc. etc.

there is no real need for it with a phpbb board anyway.

what are you trying to accomplish here?

robert
I'm baaaaaccckkkk. still doing work on donation basis. PM your needs.

Premium phpBB 3.2 Styles by PlanetStyles.net

If a tree falls in the forest and nobody is there, does it make a sound?

BenPollinger
Registered User
Posts: 13
Joined: Sun Feb 02, 2003 2:01 pm
Location: Leeds
Contact:

Post by BenPollinger » Thu Jan 26, 2006 6:59 pm

Hi thanks for your replies.

I got a free cert from www.cacert.org and have set it up fine, a dedicated IP wasn't needed as it was issued for my hosted account from www.34sp.com - not that much trouble in itself. Should have clarified that I'd done all that in my first post.

I suppose my idea was to encrypt the login process to give some protection of passwords. I think Hotmail used to do this - encrypt the login process but not when reading mail.

I thought movign the whole board to SSL might slow it down a bit but guess I'll give it a go and see how the server copes.

THanks again,
Ben

User avatar
Lumpy Burgertushie
Registered User
Posts: 66897
Joined: Mon May 02, 2005 3:11 am
Contact:

Post by Lumpy Burgertushie » Thu Jan 26, 2006 9:19 pm

the passwords are md5 hashed in the database, and if you are worried about someone grabbing them during the time that the script is checking the database to verify it, then that is being a bit paranoid. someone would have to know exactly when you or whoever, were going to click the submit/login button, they would have to be monitoring that data transmissions somehow, and have the equipment, etc. to do all that.

Plus, they would have to have some reason to care about your username/password to access your board. If what you are using your board for is that sensitive, then you should not be depending on phpbb or even the web for storing that kind of info.

just my rant,

good luck,
robert
I'm baaaaaccckkkk. still doing work on donation basis. PM your needs.

Premium phpBB 3.2 Styles by PlanetStyles.net

If a tree falls in the forest and nobody is there, does it make a sound?

BenPollinger
Registered User
Posts: 13
Joined: Sun Feb 02, 2003 2:01 pm
Location: Leeds
Contact:

Post by BenPollinger » Thu Jan 26, 2006 9:37 pm

Fair points. Just exploring the possibilities, and you're right, it doesn't make much sense in the context of my board.

cheers,
Ben

espicom
Registered User
Posts: 17905
Joined: Wed Dec 22, 2004 1:14 am
Location: Woodstock, IL

Post by espicom » Thu Jan 26, 2006 9:47 pm

SSL requires a lot more CPU horsepower, of course, but the bandwidth is the same.

SSL does require a specific IP (one certificate per IP), because the certificates are exchanged before the server and client ever talk about domain names. If they don't match, then errors are reported. That's why it doesn't work for name-based virtual hosting.

Which is why, if you're bothering to go that way, the hosts would actually prefer you to stay SSL, 'cuz it lets them use the non-SSL port on that IP for other things.

I've even used tests in the index file to redirect from the non-secure port to the SSL port, which works well.
Jeff
Fixing 1016/1030/1034 Errors | (obsolete link) | MySQL 4.1/5.x Client Error | phpBBv2 Logo in ACP
Support requests via PM are ignored!
"To be fully alive is to feel that everything is possible." - Eric Hoffer

User avatar
abertoll
Registered User
Posts: 85
Joined: Fri Jan 21, 2005 5:13 am
Contact:

Post by abertoll » Fri May 05, 2006 9:12 am

Lumpy Burgertushie wrote: the passwords are md5 hashed in the database, and if you are worried about someone grabbing them during the time that the script is checking the database to verify it, then that is being a bit paranoid.


The danger isn't the script checking the db, the danger is the submission of the information over the Internet from the user's browser to the webserver.
someone would have to know exactly when you or whoever, were going to click the submit/login button, they would have to be monitoring that data transmissions somehow, and have the equipment, etc. to do all that.


It's really easy. Ever tried using ethereal?
Plus, they would have to have some reason to care about your username/password to access your board. If what you are using your board for is that sensitive, then you should not be depending on phpbb or even the web for storing that kind of info.


I don't know why people here are acting like a lack of SSL login is no big deal. Even though it's "just a forum," lot of users use the same username and password for most, if not all, of their logins online. It's not an unreasonable request.

At the very least, there should be a note on the registering page to "not use a valuable password" like GNU Mailman does.

espicom
Registered User
Posts: 17905
Joined: Wed Dec 22, 2004 1:14 am
Location: Woodstock, IL

Post by espicom » Fri May 05, 2006 3:18 pm

At the very least, there should be a note on the registering page to "not use a valuable password" like GNU Mailman does.


Warnings like that mean nothing to the people who would need it most - they don't give a hoot, until something goes wrong. They're also the ones that think passwords like "asdfgh" are secure...

The problem is that PHPBB is designed around being able to be installed without a lot of extras. Making a secure login to a non-secure site involves some fancy footwork as far as the login cookies are concerned, since (as stated earlier) the browser will not offer a cookie obtained from a secure site to a non-secure site, even in the same domain.

When security of the passwords is important, by all means, go straight to a full SSL site. It's not worth the agrevation of trying to split the login from the rest of the site for the slight performance increase.
Jeff
Fixing 1016/1030/1034 Errors | (obsolete link) | MySQL 4.1/5.x Client Error | phpBBv2 Logo in ACP
Support requests via PM are ignored!
"To be fully alive is to feel that everything is possible." - Eric Hoffer

mabiuso
Registered User
Posts: 1
Joined: Mon Jul 24, 2006 2:05 pm

Post by mabiuso » Mon Jul 24, 2006 2:17 pm

I don't really understand what's the problem in using https for login only. The popular ecommerce website (paying open source) x-cart (www.x-cart.com) has always been doing that.
BTW just look the big ones and you'll see a lot of examples like that: mail.yahoo.com (they also have a little link "Why this is secure" explaining the procedure), just to say one...

What i did to implement it on phpBB is open include/page_header.php and change this line 410 (in 2.0.21) from:

Code: Select all

	'S_LOGIN_ACTION' => 	'S_LOGIN_ACTION' => append_sid('login.'.$phpEx),
to

Code: Select all

	'S_LOGIN_ACTION' => append_sid("https://".$board_config['sitename'].$board_config['script_path'].'login.'.$phpEx),
This line will put an https://yoursite.com/scriptpath/login.php in the <form> tag only of the login page so that login POST parameters will be encrypted.

Keeping disabled the cookie_secure option, will ensure that all the rest of the forum is in pure http.

I'm not a cookie guru, but i tried clearing my cookies and loggin in with this method and i noticed no difference at all! :wink:

If you see any drawbacks, just tell me 8)

espicom
Registered User
Posts: 17905
Joined: Wed Dec 22, 2004 1:14 am
Location: Woodstock, IL

Post by espicom » Mon Jul 24, 2006 7:59 pm

I don't really understand what's the problem in using https for login only. The popular ecommerce website (paying open source) x-cart (www.x-cart.com) has always been doing that.


It is possible to design a site to handle passing session information in a GET to a secure page, then handing control back to a non-secure page using a GET action there, too. You can combine POST form information and GET URL-based data for effect, as you have done. But the cookies for the non-secure site and secure sites will not be mixed by the browser - they're kept separate.

Anything that requires both the cookie AND the URL to match will be problematic, unless you send a secure cookie during the login, followed by the non-secure cookie when things get redirected back to the non-secure site. This is mainly admin functions, so you probably will get away with it.
Jeff
Fixing 1016/1030/1034 Errors | (obsolete link) | MySQL 4.1/5.x Client Error | phpBBv2 Logo in ACP
Support requests via PM are ignored!
"To be fully alive is to feel that everything is possible." - Eric Hoffer

User avatar
Lumpy Burgertushie
Registered User
Posts: 66897
Joined: Mon May 02, 2005 3:11 am
Contact:

Post by Lumpy Burgertushie » Mon Jul 24, 2006 8:37 pm

besides, why worry about it. you are not passing any critical info, just a username and password. it is encrypted once it gets to the database.

nobody can intercept the info as it is being sent across the internet unless they have invested a lot of time and money in equipment etc.

plus, they would have to be monitoring your site and/or the members computer all of the time to be able to intercept the transfer of data.

what are the chances of that?

I do believe you are a bit on the paranoid side my friend.

robert
I'm baaaaaccckkkk. still doing work on donation basis. PM your needs.

Premium phpBB 3.2 Styles by PlanetStyles.net

If a tree falls in the forest and nobody is there, does it make a sound?

murrayie1
Registered User
Posts: 18
Joined: Thu Aug 11, 2005 10:24 am

Post by murrayie1 » Tue Jul 25, 2006 10:59 pm

I was interested in this for the simple reason that I wanted to use the user credentials for a slightly more serious activity, having written my own code to verify username and password.

It would seem silly to the allow users use the same forum username and password to be sent unencrypted when accessing the bulletin board.

User avatar
TimG
Registered User
Posts: 121
Joined: Sun Jun 23, 2002 8:52 pm
Location: Germany

Post by TimG » Wed Aug 23, 2006 4:11 am

Lumpy Burgertushie wrote: nobody can intercept the info as it is being sent across the internet unless they have invested a lot of time and money in equipment etc.

There is a very common situation where it is extremely easy to intercept the login details: If you are accessing your forum via a public WiFi hotspot with a laptop anyone nearby with a packet sniffer can intercept all your logon details without any problems. Most modern sniffers will even filter out username and password combinations from the streams automatically. Or are the login details hashed before they are sent? If not, and if you are logging on to your board as an admin, the person running the sniffer can then immediately destroy your phpBB installation. Being concerned about this is not paranoid at all, it is just good sense.
Last edited by TimG on Wed Aug 23, 2006 4:28 am, edited 1 time in total.
Regards,
Tim

User avatar
Avelladore
Registered User
Posts: 110
Joined: Tue Aug 22, 2006 11:26 pm
Location: Mississauga, Ontario, Canada

Post by Avelladore » Wed Aug 23, 2006 4:23 am

What are you gonna be selling stuff or something because ssl certs are usualy used for banks, online stors, etc.

Locked

Return to “2.0.x Support Forum”