1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XF 1.3 SSL and logins

Discussion in 'XenForo Questions and Support' started by Moshe1010, Apr 11, 2014.

  1. Moshe1010

    Moshe1010 Well-Known Member

    I would like to purchase an SSL certificate to my forum. But:
    1. Would it disconnect all the users from their sessions if I change to https?

    2. What would happen to those who logged in through Facebook?

    Thanks.
     
  2. Jake Bunce

    Jake Bunce XenForo Moderator Staff Member

    1) Existing login cookies will remain in scope.

    2) Nothing should happen.
     
    Moshe1010 likes this.
  3. Moshe1010

    Moshe1010 Well-Known Member

    Wouldn't forcing people to use https require them to re-login? Sure, they can keep surfing on http://, but then it's missing the entire point of SSL, isn't it?
     
  4. Jake Bunce

    Jake Bunce XenForo Moderator Staff Member

    I searched and confirmed that cookie scope is defined by domain and path, not protocol. The same cookies should remain in scope. SSL encrypts communications.
     
  5. Jake Bunce

    Jake Bunce XenForo Moderator Staff Member

    Correction.

    http://www.nczonline.net/blog/2009/05/05/http-cookies-explained/

    So cookies *can* be restricted by protocol.

    After some further investigation I found that XenForo *does* use secure cookies if the user is visiting the forum using https.

    So I would expect existing cookies to continue to work after moving to https. New cookies created after the move will only work on https.
     
    Moshe1010 likes this.
  6. Moshe1010

    Moshe1010 Well-Known Member

  7. Rizwan Kassim

    Rizwan Kassim Member

    Is it possible to disable secure cookies even if using https, either as a config field, or some sort of indication to an underlying line of code that can be modified?

    thanks!
     
  8. Rizwan Kassim

    Rizwan Kassim Member

  9. Rigel Kentaurus

    Rigel Kentaurus Well-Known Member

    Actually, you want to disconnect the users and have them login again

    After you switch to https, the cookies MUST be made "secure only", if you don't do that you leave the users vulnerable to different vectors of attacks that can steal cookies.

    Take this two assumptions:
    1) Cookies over HTTP can be sniffed since they are transmitted in clear text
    2) Cookies over HTTPS are safe

    Now notice this simple scenario
    1) Webmaster sets redirection from http -> https
    2) Cookies are set to be for both http and https
    3) User still types in the browser http://yourdomain.com
    4) Browser opens yourdomain.com, SENDS cookies, and is redirected to https://yourdomain.com
    5) Browser opens the SSL site

    By setting the cookies for both Http and Https you are putting the users at risk, since the cookies were sent in clear in step (4), even when using https, since that page is hit before the https because of the redirections, and this makes the content of the cookies available to the attackers. if xf_user is there, then the user can potentially use that to login to the site, or at least re-use the xf_session

    That means all the cookies set for Http for any user of your site are potentially compromised, and switching to https will not help at all, only for the users that are logging in for the first time. But you can avoid further compromising user information by making sure the cookies are set to https only (the default in XenForo). If you wanted to be extra careful I would even change the $config['cookie']['cookie_prefix'] to force the users to start a fresh session.
     
    Mike likes this.
  10. RoldanLT

    RoldanLT Well-Known Member

    Why not force full https all over your forum and enable SPDY 3.1?
     

Share This Page