XF 1.3 SSL and logins


Well-known member
I would like to purchase an SSL certificate to my forum. But:
1. Would it disconnect all the users from their sessions if I change to https?

2. What would happen to those who logged in through Facebook?


Jake Bunce

XenForo moderator
Staff member
I searched and confirmed that cookie scope is defined by domain and path, not protocol. The same cookies should remain in scope. SSL encrypts communications.

Jake Bunce

XenForo moderator
Staff member


The secure option

The last option is secure. Unlike the other options, this is just a flag and has no additional value specified. A secure cookie will only be sent to the server when a request is made using SSL and the HTTPS protocol. The idea that the contents of the cookie are of high value and could be potentially damaging to transmit as clear text. Sample:

Set-Cookie: name=Nicholas; secure

In reality, confidential or sensitive information should never be stored or transmitted in cookies as the entire mechanism is inherently insecure. By default, cookies set over an HTTPS connection are automatically set to be secure.
So cookies *can* be restricted by protocol.

After some further investigation I found that XenForo *does* use secure cookies if the user is visiting the forum using https.

So I would expect existing cookies to continue to work after moving to https. New cookies created after the move will only work on https.
Is it possible to disable secure cookies even if using https, either as a config field, or some sort of indication to an underlying line of code that can be modified?


Rigel Kentaurus

Well-known member
Actually, you want to disconnect the users and have them login again

After you switch to https, the cookies MUST be made "secure only", if you don't do that you leave the users vulnerable to different vectors of attacks that can steal cookies.

Take this two assumptions:
1) Cookies over HTTP can be sniffed since they are transmitted in clear text
2) Cookies over HTTPS are safe

Now notice this simple scenario
1) Webmaster sets redirection from http -> https
2) Cookies are set to be for both http and https
3) User still types in the browser http://yourdomain.com
4) Browser opens yourdomain.com, SENDS cookies, and is redirected to https://yourdomain.com
5) Browser opens the SSL site

By setting the cookies for both Http and Https you are putting the users at risk, since the cookies were sent in clear in step (4), even when using https, since that page is hit before the https because of the redirections, and this makes the content of the cookies available to the attackers. if xf_user is there, then the user can potentially use that to login to the site, or at least re-use the xf_session

That means all the cookies set for Http for any user of your site are potentially compromised, and switching to https will not help at all, only for the users that are logging in for the first time. But you can avoid further compromising user information by making sure the cookies are set to https only (the default in XenForo). If you wanted to be extra careful I would even change the $config['cookie']['cookie_prefix'] to force the users to start a fresh session.