http vs https cookie issue

[zagman76]

Hello - I apologize if this has been reported/addressed - I did not see it here.

I am having a problem on my forum where people keep getting logged out if their entry/login URL is different than what I have set in the Admin CP. I have a few different versions of the domain (.com, .net, .org), but only have the .com set in the CP. Now, the technically different domains aside, I also offer SSL on the .com version of the site.

If you enter/login via the SSL URL, and then click on the 'Home' link (or other links it seems), you are immediately dropped out to the non-ssl version, and are logged out.

Any assistance would be appreciated, and please let me know if you need any additional info from me.

 

[bubbl3]

I guess this is the normal behaviour, it worked like this for me in vb 3.8 too.

I have multiple domains, http and https, what i suggest you to do is to put in place some rewrite rules to force everybody on a single domain and https.

 

[zagman76]

When I was using vB, I never had this issue - vB always seemed to make the links relative to the entry URI. Unfortunately I can't force SSL because my ads don't show when I do that.

 

[bubbl3]

When I was using vB, I never had this issue - vB always seemed to make the links relative to the entry URI. Unfortunately I can't force SSL because my ads don't show when I do that.

Yes it is true vb made the links relative, but not the home link if for example you had http instead of https defined as default, also if someone linked another domain or protocol you would have the problem too.

You can resolve the multi domain with rewrites, any idea why the ads don't show with https?

 

[zagman76]

You can resolve the multi domain with rewrites, any idea why the ads don't show with https?

That's true - I originally was doing both, and forcing the SSL version.

The users are prompted by their browsers with a SSL error because of the mixed content. If they don't allow the mixed content, they won't see the ads.

 

[bubbl3]

I guess you are using google adsense then, for some reason they think is better for you to not show ads than your users getting a warning they are leaving a secure page when they click the ads. I find it unbelievable that google hasn't addressed this issue yet, SSL is widely used now

http://support.google.com/adsense/bin/answer.py?hl=en&answer=10528

 

[zagman76]

I guess you are using google adsense then, for some reason they think is better for you to not show ads than your users getting a warning they are leaving a secure page when they click the ads. I find it unbelievable that google hasn't addressed this issue yet, SSL is widely used now

http://support.google.com/adsense/bin/answer.py?hl=en&answer=10528

Yes - that is correct! And with everything else that Google slaps a cert on, I'm surprised they haven't figured out a way to do it on the adsense content.

 

[Jake Bunce]

To force SSL:

http://xenforo.com/community/threads/xenforo-always-use-ssl.36180/#post-411628

And to force "www":

http://xenforo.com/community/threads/redirecting-non-www-to-www.35242/#post-400091

Those two things will ensure consistent URLs which should avoid problems of cookie scope.

 

[bubbl3]

Just in case you use nginx or someone that does finds this thread, this is an example configuration to both force https and www:

server {
listen xxx.xxx.xxx.xxx:80;
server_name yourdomain.com www.yourdomain.com;
rewrite ^ https://www.yourdomain.com$request_uri? permanent;
}
 
server {
      listen xxx.xxx.xxx.xxx:443 ssl;
 
      ssl_certificate /path/yourdomain.crt.pem;
      ssl_certificate_key /path/yourdomain.key.pem;
       
      server_name yourdomain.com;
 
  rewrite ^ https://www.yourdomain.com$request_uri? permanent;
}

 

[rdn]

To force SSL:

http://xenforo.com/community/threads/xenforo-always-use-ssl.36180/#post-411628

And to force "www":

http://xenforo.com/community/threads/redirecting-non-www-to-www.35242/#post-400091

Those two things will ensure consistent URLs which should avoid problems of cookie scope.

How about combining this two ?
Forcing WWW and HTTPS ?

 

[Jake Bunce]

How about combining this two ?
Forcing WWW and HTTPS ?

Just one after the other, in either order:

#	Mod_security can interfere with uploading of content such as attachments. If you
#	cannot attach files, remove the "#" from the lines below.
#<IfModule mod_security.c>
#	SecFilterEngine Off
#	SecFilterScanPOST Off
#</IfModule>

ErrorDocument 401 default
ErrorDocument 403 default
ErrorDocument 404 default
ErrorDocument 500 default

<IfModule mod_rewrite.c>
	RewriteEngine On

	# Force www
	RewriteCond %{HTTP_HOST} !^www\.yoursite\.com$
	RewriteRule ^(.*)$ http://www.yoursite.com/forum/$1 [R=301,L]

	# Force https
	RewriteCond %{SERVER_PORT} 80
	RewriteRule ^(.*)$ https://www.yoursite.com/forum/$1 [R,L]

	#	If you are having problems with the rewrite rules, remove the "#" from the
	#	line that begins "RewriteBase" below. You will also have to change the path
	#	of the rewrite to reflect the path to your XenForo installation.
	#RewriteBase /xenforo

	#	This line may be needed to enable WebDAV editing with PHP as a CGI.
	#RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

	RewriteCond %{REQUEST_FILENAME} -f [OR]
	RewriteCond %{REQUEST_FILENAME} -l [OR]
	RewriteCond %{REQUEST_FILENAME} -d
	RewriteRule ^.*$ - [NC,L]
	RewriteRule ^(data/|js/|styles/|install/|favicon\.ico|crossdomain\.xml|robots\.txt) - [NC,L]
	RewriteRule ^.*$ index.php [NC,L]
</IfModule>

 

[rdn]

Just one after the other, in either order:

# Mod_security can interfere with uploading of content such as attachments. If you
# cannot attach files, remove the "#" from the lines below.
#<IfModule mod_security.c>
# SecFilterEngine Off
# SecFilterScanPOST Off
#</IfModule>
 
ErrorDocument 401 default
ErrorDocument 403 default
ErrorDocument 404 default
ErrorDocument 500 default
 
<IfModule mod_rewrite.c>
RewriteEngine On
 
# Force www
 RewriteCond %{HTTP_HOST} !^www\.yoursite\.com$
 RewriteRule ^(.*)$ http://www.yoursite.com/forum/$1 [R=301,L]
 
# Force https
 RewriteCond %{SERVER_PORT} 80
 RewriteRule ^(.*)$ https://www.yoursite.com/forum/$1 [R,L]
 
# If you are having problems with the rewrite rules, remove the "#" from the
# line that begins "RewriteBase" below. You will also have to change the path
# of the rewrite to reflect the path to your XenForo installation.
#RewriteBase /xenforo
 
# This line may be needed to enable WebDAV editing with PHP as a CGI.
#RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
 
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.*$ - [NC,L]
RewriteRule ^(data/|js/|styles/|install/|favicon\.ico|crossdomain\.xml|robots\.txt) - [NC,L]
RewriteRule ^.*$ index.php [NC,L]
</IfModule>

Why is Google adsense not loaded with https: https://www.phcorner.net/ ?