• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

http://xenforo.com/community: Force SSL / HTTPS

Status
Not open for further replies.

Chris D

XenForo developer
Staff member
#1
It is already possible to browse this forum with an SSL connection and more people have begun to do so. I did for a while. Unfortunately, cookies are an issue.

If you're logged into https://xenforo.com/community and you click on a link to the non-SSL version of the site, you are logged out and not only that, you are further logged out from the SSL version of the site also.

I think a similar happens when the reverse is true, also.

It makes it quite a fragmented experience.

Realistically there's only two options, go back to forcing HTTP only or migrate to force HTTPS only. Unless there is anything that can be changed to prevent the cookies being such an issue. I assume the only thing that could be changed, though, is the secure flag on the cookie...

Just a thought, anyway. I think people would probably prefer to browse the entire site with HTTPS, especially as the rest of XenForo.com does the same.
 

Chris D

XenForo developer
Staff member
#3
Interesting.

It appears to be maintaining my logged in state between the two sites now. I'm pretty sure https => http resulted in an instant log out before.

I'd still like to see https become the standard, though.
 

Lisa

Well-known member
#4
I've been getting logged out randomly for about a week or so now. Even by refreshing the page I'm on... figured it was me. I did whine to @Brogan and @Jeremy about it a time or two :D
 

Digital Doctor

Well-known member
#7
Alot of people want https://

Seems like a good idea to fully support it as one option to select when installing xenforo.

Having it as default seems premature.

At this stage, it seems admins have to jerry rig xenforo to get https working.
 

Null

Well-known member
#12
Damn, this was annoying me so much I've written a little snippet for Chrome to rewrite URL's from http to https.

The only downside is this adds slight lag while browsing XF.
 

SamL

Active member
#13
Given that this domain has SSL available, and that many of the functions in v1.3.x are related to using SSL (image and link proxies), it seems pretty silly not to redirect everything to SSL. Think of it as debuting the full range of XF Features, if nothing else.
 

melbo

Well-known member
#14
So if you set your board URL to https, does http still work?
I wasn't able to get both working during testing my ssl migration but the internal links seem to be correct at XF no matter how you browse.
 

Null

Well-known member
#15
So if you set your board URL to https, does http still work?
I wasn't able to get both working during testing my ssl migration but the internal links seem to be correct at XF no matter how you browse.
Yes; if you set your board URL to https, any forum generated links will contain https:// but http:// will still work, you'd need to force https:// via .htaccess (or its equivalent).

https works here on XF but if you click on any user-generated links, you'll be logged out.
 

Chris D

XenForo developer
Staff member
#17
I've seen a few people seem to prefer using HTTPS and there's still an issue with "getting logged out" because there's no continuity or standard amongst the community.

I really think it would be a good idea, one way or another, to force visitors to either HTTP or HTTPS. I'd prefer HTTPS but if it meant there was some consistency I'd be happy with HTTP only too.
 

SamL

Active member
#18
I've seen a few people seem to prefer using HTTPS and there's still an issue with "getting logged out".....I really think it would be a good idea, one way or another, to force visitors to either HTTP or HTTPS. I'd prefer HTTPS....
It baffles me why this forum doesn't force SSL. They went to the trouble of obtaining and installing an SSL cert, and have even developed features into the forum core that make supporting it so easy (link proxy, image proxy, etc). It's a shame not to actually make use of the work they've put into those features here on their community support site. In fact, it seems like a golden opportunity to showcase to customers how nicely XF works via SSL. Demonstrating a 'best practice' feature can only be beneficial.

JMO
 

Chris D

XenForo developer
Staff member
#19
Well, it's the same certificate they use in the customer area so it wasn't much trouble, I'm sure. But I don't disagree on everything else. Perfect opportunity being missed for the sake of what is presumably a 5 minute job. Unless, of course, there's a reason not to which we don't know.
 
Status
Not open for further replies.