1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

http://xenforo.com/community: Force SSL / HTTPS

Discussion in 'General XenForo Discussion and Feedback' started by Chris D, Apr 2, 2014.

Thread Status:
Not open for further replies.
  1. Chris D

    Chris D XenForo Developer Staff Member

    It is already possible to browse this forum with an SSL connection and more people have begun to do so. I did for a while. Unfortunately, cookies are an issue.

    If you're logged into https://xenforo.com/community and you click on a link to the non-SSL version of the site, you are logged out and not only that, you are further logged out from the SSL version of the site also.

    I think a similar happens when the reverse is true, also.

    It makes it quite a fragmented experience.

    Realistically there's only two options, go back to forcing HTTP only or migrate to force HTTPS only. Unless there is anything that can be changed to prevent the cookies being such an issue. I assume the only thing that could be changed, though, is the secure flag on the cookie...

    Just a thought, anyway. I think people would probably prefer to browse the entire site with HTTPS, especially as the rest of XenForo.com does the same.
    fEaRz, Xon, Steve F and 10 others like this.
  2. whynot

    whynot Well-Known Member

    With my browser it's true when logged in with http and clicking on a https link.
    When logged in with https clicking on a http link: it doesn't happen.

    Tested here: http://xenforo.com/community/threads/testing-https.71603/
    Chris D likes this.
  3. Chris D

    Chris D XenForo Developer Staff Member


    It appears to be maintaining my logged in state between the two sites now. I'm pretty sure https => http resulted in an instant log out before.

    I'd still like to see https become the standard, though.
    Null likes this.
  4. Lisa

    Lisa Well-Known Member

    I've been getting logged out randomly for about a week or so now. Even by refreshing the page I'm on... figured it was me. I did whine to @Brogan and @Jeremy about it a time or two :D
  5. Brogan

    Brogan XenForo Moderator Staff Member

    I switched back from https last week due to flip-flopping and logging out problem.
  6. Null

    Null Well-Known Member

    I'd also like to see HTTPS forced as standard.
    RastaLulz likes this.
  7. Digital Doctor

    Digital Doctor Well-Known Member

    Alot of people want https://

    Seems like a good idea to fully support it as one option to select when installing xenforo.

    Having it as default seems premature.

    At this stage, it seems admins have to jerry rig xenforo to get https working.
  8. Chris D

    Chris D XenForo Developer Staff Member

    And what do you base that on?

    That's quite an extraordinary claim to make. It's very simple:
    1. Get an SSL cert
    2. Install it (your host will normally help with these two steps)
    3. Change your board URL
    4. Optionally rewrite URLs to https://
    surfsup, intradox, Brogan and 2 others like this.
  9. Lisa

    Lisa Well-Known Member

    I had it up and running in about half an hour.. and 10 minutes of that was waiting for the email with the cert details.
    intradox and The Forum Heroes like this.
  10. The Forum Heroes

    The Forum Heroes Well-Known Member

    You must be doing something incorrectly. I been using SSL with xF for over a year with no issues.
    Lisa likes this.
  11. Daniel Hood

    Daniel Hood Well-Known Member

    I think you misunderstood what Chris is suggesting. He wants only this forum itself to force ssl.
    Digital Doctor, Amaury and Chris D like this.
  12. Null

    Null Well-Known Member

    Damn, this was annoying me so much I've written a little snippet for Chrome to rewrite URL's from http to https.

    The only downside is this adds slight lag while browsing XF.
  13. SamL

    SamL Active Member

    Given that this domain has SSL available, and that many of the functions in v1.3.x are related to using SSL (image and link proxies), it seems pretty silly not to redirect everything to SSL. Think of it as debuting the full range of XF Features, if nothing else.
  14. melbo

    melbo Well-Known Member

    So if you set your board URL to https, does http still work?
    I wasn't able to get both working during testing my ssl migration but the internal links seem to be correct at XF no matter how you browse.
  15. Null

    Null Well-Known Member

    Yes; if you set your board URL to https, any forum generated links will contain https:// but http:// will still work, you'd need to force https:// via .htaccess (or its equivalent).

    https works here on XF but if you click on any user-generated links, you'll be logged out.
  16. SamL

    SamL Active Member

  17. Chris D

    Chris D XenForo Developer Staff Member

    I've seen a few people seem to prefer using HTTPS and there's still an issue with "getting logged out" because there's no continuity or standard amongst the community.

    I really think it would be a good idea, one way or another, to force visitors to either HTTP or HTTPS. I'd prefer HTTPS but if it meant there was some consistency I'd be happy with HTTP only too.
  18. SamL

    SamL Active Member

    It baffles me why this forum doesn't force SSL. They went to the trouble of obtaining and installing an SSL cert, and have even developed features into the forum core that make supporting it so easy (link proxy, image proxy, etc). It's a shame not to actually make use of the work they've put into those features here on their community support site. In fact, it seems like a golden opportunity to showcase to customers how nicely XF works via SSL. Demonstrating a 'best practice' feature can only be beneficial.

  19. Chris D

    Chris D XenForo Developer Staff Member

    Well, it's the same certificate they use in the customer area so it wasn't much trouble, I'm sure. But I don't disagree on everything else. Perfect opportunity being missed for the sake of what is presumably a 5 minute job. Unless, of course, there's a reason not to which we don't know.
  20. Digital Doctor

    Digital Doctor Well-Known Member

    I keep getting logged out of https:// when someone posts a http:// URL.
Thread Status:
Not open for further replies.

Share This Page