http://xenforo.com/community: Force SSL / HTTPS

Status
Not open for further replies.
Chris D

Chris D

XenForo developer
Staff member
It is already possible to browse this forum with an SSL connection and more people have begun to do so. I did for a while. Unfortunately, cookies are an issue.

If you're logged into https://xenforo.com/community and you click on a link to the non-SSL version of the site, you are logged out and not only that, you are further logged out from the SSL version of the site also.

I think a similar happens when the reverse is true, also.

It makes it quite a fragmented experience.

Realistically there's only two options, go back to forcing HTTP only or migrate to force HTTPS only. Unless there is anything that can be changed to prevent the cookies being such an issue. I assume the only thing that could be changed, though, is the secure flag on the cookie...

Just a thought, anyway. I think people would probably prefer to browse the entire site with HTTPS, especially as the rest of XenForo.com does the same.
 
Interesting.

It appears to be maintaining my logged in state between the two sites now. I'm pretty sure https => http resulted in an instant log out before.

I'd still like to see https become the standard, though.
 
I've been getting logged out randomly for about a week or so now. Even by refreshing the page I'm on... figured it was me. I did whine to @Brogan and @Jeremy about it a time or two :D
 
I switched back from https last week due to flip-flopping and logging out problem.
 
Alot of people want https://

Seems like a good idea to fully support it as one option to select when installing xenforo.

Having it as default seems premature.

At this stage, it seems admins have to jerry rig xenforo to get https working.
 
And what do you base that on?

That's quite an extraordinary claim to make. It's very simple:
  1. Get an SSL cert
  2. Install it (your host will normally help with these two steps)
  3. Change your board URL
  4. Optionally rewrite URLs to https://
 
Damn, this was annoying me so much I've written a little snippet for Chrome to rewrite URL's from http to https.

The only downside is this adds slight lag while browsing XF.
 
Given that this domain has SSL available, and that many of the functions in v1.3.x are related to using SSL (image and link proxies), it seems pretty silly not to redirect everything to SSL. Think of it as debuting the full range of XF Features, if nothing else.
 
So if you set your board URL to https, does http still work?
I wasn't able to get both working during testing my ssl migration but the internal links seem to be correct at XF no matter how you browse.
 
melbo said:
So if you set your board URL to https, does http still work?
I wasn't able to get both working during testing my ssl migration but the internal links seem to be correct at XF no matter how you browse.
Click to expand...
Yes; if you set your board URL to https, any forum generated links will contain https:// but http:// will still work, you'd need to force https:// via .htaccess (or its equivalent).

https works here on XF but if you click on any user-generated links, you'll be logged out.
 
I've seen a few people seem to prefer using HTTPS and there's still an issue with "getting logged out" because there's no continuity or standard amongst the community.

I really think it would be a good idea, one way or another, to force visitors to either HTTP or HTTPS. I'd prefer HTTPS but if it meant there was some consistency I'd be happy with HTTP only too.
 
Chris D said:
I've seen a few people seem to prefer using HTTPS and there's still an issue with "getting logged out".....I really think it would be a good idea, one way or another, to force visitors to either HTTP or HTTPS. I'd prefer HTTPS....
Click to expand...

It baffles me why this forum doesn't force SSL. They went to the trouble of obtaining and installing an SSL cert, and have even developed features into the forum core that make supporting it so easy (link proxy, image proxy, etc). It's a shame not to actually make use of the work they've put into those features here on their community support site. In fact, it seems like a golden opportunity to showcase to customers how nicely XF works via SSL. Demonstrating a 'best practice' feature can only be beneficial.

JMO
 
Well, it's the same certificate they use in the customer area so it wasn't much trouble, I'm sure. But I don't disagree on everything else. Perfect opportunity being missed for the sake of what is presumably a 5 minute job. Unless, of course, there's a reason not to which we don't know.
 
Status
Not open for further replies.

Similar threads

rkxh
Member page inaccessible NGINX - Friendly URLs
Replies
9
Views
402
Paul B
Paul B
ActorMike
SMTP Session is closed after each recipient over SSL
Replies
0
Views
419
ActorMike
ActorMike
Ozzy47
[OzzModz] Failed Login Log
2
Replies
25
Views
671
Ozzy47
Ozzy47
Ozzy47
[OzzModz] ACP Failed Login Log
2
Replies
20
Views
506
Ozzy47
Ozzy47
K
  • Suggestion Suggestion
Flag Loggedin-only permissions
Replies
0
Views
306
Kirby
K
Top Bottom