Page 1 of 1

Two login problems - cookies persist, https redirects to http

Posted: Fri Jan 27, 2017 10:41 am
by BioLogIn
Support Request Template
What version of phpBB are you using? phpBB 3.1.10
What is your board's URL? fighting.ru/forum
Who do you host your board with? linode.com
How did you install your board? I used the download package from phpBB.com
What is the most recent action performed on your board? Update from a previous version of phpBB3
Is registration required to reproduce this issue? Yes
Do you have any MODs installed? No
Do you have any extensions installed? Yes
What version of phpBB3 did you update from? phpBB 3.0.9
What extensions do you have installed? 24 hour activity stats 1.0.3, Advanced Polls 1.2.1-b1, Avatar Upload - Resize & Crop 1.0.0, Ban Hammer 1.0.0, Board Rules 1.0.4, Custom User Title 1.0.0, External Links Open in New Window 1.0.5, First post on every page 2.0.2, Genders 1.1.1, Google Analytics 1.0.1, Individual posts per page 1.0.1, Mark forums read 0.1.0, Medals System 1.0.0, phpBB Gallery 1.2.0, Post Numbers 1.1.0, Profile side switcher 1.0.0, QuickReply Reloaded 1.1.0-beta1, s9e/mediaembed 20170116, Scroll To Up and Bottom 1.0.1, Social Sharing w/Dyanmic Opengraph Tags 0.9.1, Stop Forum Spam 1.0.6, Thanks for posts 2.0.2, Mchat 2.0.0
What styles do you currently have installed? prosilver
What language(s) is your board currently using? RU, EN
Which database type/version are you using? MySQL 5
What is your level of experience? Comfortable with PHP and phpBB
What username can be used to view this issue? test
What password can be used to view this issue? testphpbb
What actions did you take (updating your board; installing a MOD, style or extension; etc.) prior to this problem becoming noticeable? -
Please describe your problem. 1. I have set up the board to be accessible both over http and https (using a self-signed sertificate). HTTPS works fine, however, after logging in through log in form (https://www.fighting.ru/forum/ucp.php?mode=login) users are still implicitly redirected to a http version, and have to manually change the link to get back to https.

Is there any way to redirect users after the login preserving the chosen protocol?

2. (This one is regardless of the protocol.) Currently, if the "remember me" checkbox is not checked during the login, the user still receives a cookie for 30 days (which is the amount set for those who have checked the checkbox). Moreover, their session does not expire when the browser window is closed, and users expect the session to expire (based on other web sites behaviour), which leads to potential security problems for them.

If this behavior intended by phpbb devs or is this a bug?
Generated by SRT Generator

Re: Two login problems - cookies persist, https redirects to http

Posted: Fri Jan 27, 2017 10:54 am
by Mick
Have a look at https://www.phpbb.com/community/viewtop ... #p12002945

There are more if you have a search round.

You need to set Cookie secure to yes if you're intending to use SSL.

Re: Two login problems - cookies persist, https redirects to http

Posted: Fri Jan 27, 2017 11:14 am
by BioLogIn
Thanks, Mick! I did the search, and I saw that thread as well. But if I understand correctly, I have slightly different situation:

1a. I don't want to force HTTPS (just yet). I want to have both options for now. If I will set the cookie secure, as you suggest, cookies will stop working for http (at least ACP hint says so).

1b. Currently cookies work for both http and https - as I said, after the https login users are redirected to http, but if they manually edit the URL to get back to any https page, they are logged in and can continue using the https forum.

So I don't need to switch anything to make cookies work (because they already work). I just need post-login redirect to respect the pre-login protocol.

Re: Two login problems - cookies persist, https redirects to http

Posted: Fri Jan 27, 2017 12:23 pm
by Mick
If I'm reading this properly adding the redirect to .htaccess will redirect anyone coming in on HTTP to HTTPS so you would be SSL all the way.

Re: Two login problems - cookies persist, https redirects to http

Posted: Fri Jan 27, 2017 12:47 pm
by BioLogIn
If I'm reading this properly adding the redirect to .htaccess will redirect anyone coming in on HTTP to HTTPS so you would be SSL all the way.
No, I have explicitly said that I don't want to force https:
1a. I don't want to force HTTPS (just yet).
I want to give users a choice. And they have a choice, everything works fine both for http and https, all links work.

Save for the login moment, when users are incorrectly redirected to http regardless of their previous protocol.

Re: Two login problems - cookies persist, https redirects to http

Posted: Mon Jan 30, 2017 1:54 pm
by BioLogIn
Bump...

Re: Two login problems - cookies persist, https redirects to http

Posted: Sat May 06, 2017 11:55 am
by BioLogIn
So am I doing something wrong, or are these bugs that should be submitted to tracker, if anyone cares at all?

Re: Two login problems - cookies persist, https redirects to http

Posted: Thu May 11, 2017 7:08 am
by BioLogIn