Simple Machines Community Forum

Link to Mod (http://custom.simplemachines.org/mods/index.php?mod=880)

WARNING: This mod requires you have SSL working on your site. If you do not, enabling the functionality will BREAK login.


About
-----
This modification allows you to enable secure (SSL) logins on your forum.

This mod and other information can be found at:
http://www.animeneko.net/projects/smf/


Features
--------
- Enable SSL login for user accounts
- Enable SSL login for admin area


Limitations
-----------
- Currently, requiring SSL for login boxes is all or none.

- This mod requires a properly set up SSL environment on the webserver first.
  If you cannot view the forum over SSL normally, this will need to be corrected
  before this mod will function.


How to Use
----------
A new option is added to the Features and Settings admin page.


License
-------
This code is licensed under the terms of the Simple Machines License. All
original code is copyright Michael Johnson.

I installed it, and now its not letting me log-in. How can i fix this?

I'm guessing you enabled the functionality, not just installed.

Quote from: Motoko-chan on August 12, 2007, 03:12:00 PM
- This mod requires a properly set up SSL environment on the webserver first.
  If you cannot view the forum over SSL normally, this will need to be corrected
  before this mod will function.

Did you make sure SSL worked on your website, or did you just enable the mod without checking?

To disable, you'll need to manually edit the SMF settings table in the database. You can do this with phpMyAdmin. Once you have the right database selected, go to the SQL tab and run the following query. This assumes your table prefix is "smf".


UPDATE smf_settings SET value=FALSE where variable="use_secure_login";


Its not Working, It says this:

Error

SQL query:

UPDATE smf_settings SET value = FALSE WHERE variable = "use_secure_login"

MySQL said: Documentation
#1146 - Table 'b24_897878_smf.smf_settings' doesn't exist

What do i do now?

Maybe you have a different prefix? Adjust the query to use that.

Ya it would work if i can get into my PHP Admin now.

I have a table prefix its smf_

Is that what a prefix is?

Yes.

...Still not working

Looks like it wiped all of your tables. (re: the other topic)

That mod doesn't affect the database when running (only uses the normal SMF function for adding a setting), and that query was tested against a test install before given (and worked okay). Can anyone confirm that this mod is responsible?

I did not touch my database at all, since I started. It had to have been.

The link to the other topic (with more info than here) is http://www.simplemachines.org/community/index.php?topic=189522.new#new

Sfx23, i don't think this mod will modify your database in any way. Maybe something was messed up elsewhere?

I see the user posted in the topic for the User Control Panel mod. Perhaps it was some odd combo?

or because it was a free host?

Its okay.... I made a new forum. And now im making sure that I make back-ups everyday.

 Hi, I just updated to 1.1.4, and this doesnt want to install, Im not thinking too much has changed in between the two versions, can I just modify the package-info.xml to 1.1.4..is thats all that needed?

Sorry to bother, if it was a cosmetic mod, Id go for it without even asking.

For some reason this mod was extremely hard to find through google on my pc, yet I stumbled upon it with google/pda, only a shame I updated 10 minutes before I found it....well not really a shame..needed updated, Id just like to have checked it out tonight, without bothering you all.

It should work without changes on 1.1.4. I'll be trying to get an official update out sometime this weekend.

 Thank you for the quick response.

Is there any way that this can be addapted to include a secure registration too? My forum asks for quite a lot of personal data when people register so would like to have this secure and encrypted?

My forum is accessed via:

https://example.com

The login form is already sent and submitted securely (since the entire site is encrypted). What would this mod do?

It would not do anything for you. This mod allows the password forms to be served securely (if the server is set up correctly) while the rest is normally accessed. If your whole forum is secure, then this won't do anything.

Thanks for the quick reply.

At the moment, I redirect http visitors to https (via the .htaccess file). If I allowed both types of access,, would the mod cause the login form to fail when the forum was accessed via https (such as by appending an extra "s" somewhere)?

Also, are you aware of any advantage to securing only the login form?

Quote from: whateveropolis on April 16, 2008, 09:31:39 PM
At the moment, I redirect http visitors to https (via the .htaccess file). If I allowed both types of access,, would the mod cause the login form to fail when the forum was accessed via https (such as by appending an extra "s" somewhere)?

It's been a while since I wrote this, but I do remember that the logic checks the URL and sees if the forum URL has https in it already. If so, it just uses the same for the secure URL. If not, it constructs one. So no, it shouldn't cause an issue.

Quote from: whateveropolis on April 16, 2008, 09:31:39 PM
Also, are you aware of any advantage to securing only the login form?

SSL connections have more overhead than non-encrypted ones, due to the extra computations needed to encrypt the contents. If you only feel the need to give logins a bit more security, then you don't need to encrypt the whole forum - just the password parts. If there is sensitive data being posted for some reason, or you just don't want snoopers on the line, it is best to encrypt the connection all the time.

I'm not using the default theme. What lines need to be added/modifed? and where?

Use the new install instructions feature of the site!

Simply choose the version of SMF you are using from the dropdown by "Manual Install Instructions for SMF" and you'll see what changes you need to make to things.

got a url?

Quote from: LinK187 on June 03, 2008, 11:48:36 PM
got a url?

Go to the page where you can download this modification. It's there.

Maybe I'm blind, I don't see anything about theme modification at either of the two sites.

SMF Secure Login (http://custom.simplemachines.org/mods/index.php?mod=880)

Over on the right where the downloads are. Right below the two links, where it says "Manual Install Instructions for SMF". Choose your version and submit. You'll get a page listing all the changes.

Unless I'm looking in the wrong place, I still can't find any options for this mod. Perhaps you could install aa_a_new_damage on your forum or a test forum and show me what code you added/modified.

If I have to do that, you'll probably be waiting a few weeks - or months. I'm rather backlogged right now (I barely have time to post this).

Since AA New Damage is 1.1-only afaik, try this direct link to the installation for the mod for 1.1.5 (http://custom.simplemachines.org/mods/index.php?action=parse&attach=56396&smf_version=1.1.5&mod=880)

Find the sections beginning with "./Themes/default/" and check them out. If you have a file of the same name in the custom theme, follow the instructions. If you don't then you are using the default theme file for that and don't need to do anything special.

I did.. and my forum is 1.1.5... nvm i just won't install the mod. I can't be assed any longer trying to guess what code does what and doing fruitless scavenger hunts. peace  8)

Hey Motoko Chan ,

The mod you have updated is really interesting.
A very quick question from you.

I have my forum at www.sitename.com/forum/

I would like to connect my login outside the forum for ex: @ www.sitename.com

so i have included SSI.php in prefix to the index file locate at sitename.com/index.php

Could you help me to complile the login action from this index.php to forum page.

- Thanks in Advance.

Reference Post @ http://www.simplemachines.org/community/index.php?topic=248550.0

Dear Motoko-chan,

I am trying to use SSL for my site,  I installed this Mod but I cannot find an "option" in the Features and Settings admin page for this feature.  According to my Modifications Packages screen, the SMF Secure Login 1.0.4 is installed.    where is this option turned listed at?

I have a couple of issues/questions.
If I browse to the URL https://mySite.org/board the login works and the site appears to use https throughout.  BUt I don't understand why this works because I didn't turn anything on inthe features admin page.  However, I use a redirect in the .htaccess file to ensure that my entire site is being viewed via https.  It looks like:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://www.mySite.org%{REQUEST_URI} [L]

RewriteCond %{HTTPS} on
RewriteCond %{HTTP_HOST} ^mySite\.org
RewriteRule (.*) https://www.mySite.org%{REQUEST_URI} [R,L]

If I have this in my .htaccess file then I can't log into my bulletin board.  Any ideas/suggestions?

Quote from: icoso on September 30, 2008, 01:53:19 PM
I am trying to use SSL for my site,  I installed this Mod but I cannot find an "option" in the Features and Settings admin page for this feature.  According to my Modifications Packages screen, the SMF Secure Login 1.0.4 is installed.    where is this option turned listed at?

It depends on what version of SMF you are using. The README displays the locations:

Quote
How to Use
----------
SMF 1.1: A new option is added to the Features and Settings admin page.

SMF 2.0: A new option is added to the Security and Moderation General page.

Quote from: icoso on September 30, 2008, 01:53:19 PM
I have a couple of issues/questions.
If I browse to the URL https://mySite.org/board the login works and the site appears to use https throughout.  BUt I don't understand why this works because I didn't turn anything on inthe features admin page.

There is built-in support for keeping an SSL session in SMF if you first browse to it that way. You don't need any kind of mod if you want to use SSL for everything. This mod allows you to only use SSL for login actions, but will return you to non-secured otherwise.

Quote from: icoso on September 30, 2008, 01:53:19 PM
However, I use a redirect in the .htaccess file to ensure that my entire site is being viewed via https.  It looks like:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://www.mySite.org%{REQUEST_URI} [L]

RewriteCond %{HTTPS} on
RewriteCond %{HTTP_HOST} ^mySite\.org
RewriteRule (.*) https://www.mySite.org%{REQUEST_URI} [R,L]

If I have this in my .htaccess file then I can't log into my bulletin board.  Any ideas/suggestions?

That would be something for general support.

Here is my version info:

Mod Name     Version     
1.    SMF 1.0.14 / 1.1.6 Update    1.0    
2.    SMF Secure Login    1.0.4

On my Basic features, Layout and Options, Karma, Core Config, Feature Config,  nor any of the themes pages in my admin do I see an option that says anything about SSL.  What does this new option actually state?  I cant find it.

If I visit my SMF login page without using https:, ie: http://mySite.org it does not redirect me to https://mySite.org  (this is what i would expect it to do.)  Although the form action is calling the https:// <form action="https://mySite.org/board/index.php?action=login2" method="post" ...

Then once I login I get redirected to an https site. Is this what its supposed to do?   If yes,  I guess I was just confused because I do not see the option that was referenced on the install instructions.

Quote from: icoso on September 30, 2008, 04:51:27 PM
Here is my version info:

Mod Name     Version     
1.    SMF 1.0.14 / 1.1.6 Update    1.0    
2.    SMF Secure Login    1.0.4

So, um, you are using SMF 1.1 then.

Quote from: icoso on September 30, 2008, 04:51:27 PM
On my Basic features, Layout and Options, Karma, Core Config, Feature Config,  nor any of the themes pages in my admin do I see an option that says anything about SSL.  What does this new option actually state?  I cant find it.

The option text is "Use a secure (SSL) login". For SMF 1.1, it will be right below the option to disable admin security checks.

Quote from: icoso on September 30, 2008, 04:51:27 PM
If I visit my SMF login page without using https:, ie: http://mySite.org it does not redirect me to https://mySite.org  (this is what i would expect it to do.)  Although the form action is calling the https:// <form action="https://mySite.org/board/index.php?action=login2" method="post" ...

Then once I login I get redirected to an https site. Is this what its supposed to do?   If yes,  I guess I was just confused because I do not see the option that was referenced on the install instructions.

This mod is only for enabling SSL on the login submission. Everything else should be non-secure. If you want everything to always be via SSL, edit your forum URL, theme URLs, and Smiley URLs.

If the option is enabled for SSL with the mod, you will see the form post to the SSL address, then you should drop back to an unsecured connection.

Dear Motoko-chan,

I am not trying to be difficult,  but where is this option located?  Under what menu and tab?

Here is teverything that is listed under my Basic Features:

Poll mode  Disable polls Enable polls Show existing polls as topics 

--------------------------------------------------------------------------------

Allow guests to browse the forum   
Enable user-selectable language support   
Allow users to edit their displayed name?   
Allow non-administrators to hide their online status?   
Allow users to hide their email from everyone except admins?   
Do not reveal contact details of members to guests   
Enable custom titles   
Enable buddy lists   
Default personal text   
Maximum allowed characters in signatures
(0 for no max.)   

--------------------------------------------------------------------------------

Default time format   
Default number format  1234.00 1,234.00 1.234,00 1 234,00 1234,00 
Overall time offset
(added to the member specific option.)   
Failed login threshold   
User online time threshold   
Track daily statistics   
Track daily page views (must have stats enabled)   
Enable error logging   
Disable administration security   
   

--------------------------------------------------------------------------------

Require reactivation after email change   
Require admin approval when member deletes account   

--------------------------------------------------------------------------------

Allow users to disable announcements   
Don't allow post text in notifications?   
Log moderation actions   
Search engine friendly URLs
Apache only!   

--------------------------------------------------------------------------------

Max width of posted pictures (0 = disable)   
Max height of posted pictures (0 = disable)   

--------------------------------------------------------------------------------

Enable reporting of personal messages   
Maximum number of recipients allowed in a personal message.
(0 for no limit, admins are exempt)   
Post count under which users must enter code when sending personal messages.
(0 for no limit, admins are exempt)   
Number of personal messages a user may send in an hour.
(0 for no limit, moderators are exempt)

Here is everything under Layout and Options:

Limit number of displayed page links   
Contiguous pages to display:
"3" to display: 1 ... 4 [5] 6 ... 9
"5" to display: 1 ... 3 4 [5] 6 7 ... 9   

--------------------------------------------------------------------------------

Enable "Today" feature  Disabled Only Today Today & Yesterday 
Enable Go Up/Go Down buttons   
Show online/offline in posts and PMs   
Show a quick login on every page   

--------------------------------------------------------------------------------

Members per page in member list   

--------------------------------------------------------------------------------

Display time taken to create every page   
Disable hostname lookups?   

--------------------------------------------------------------------------------

Enable who's online list

I dont see anything labeled "Use a secure (SSL) login".  Since SMF Secure Login is listed under my packages menu and there is a little green button next to it, It would appear it is instaled correctly.

What am I missing?

Thanks for your help.

Quote from: icoso on October 01, 2008, 09:53:01 PM
Dear Motoko-chan,

I am not trying to be difficult,  but where is this option located?  Under what menu and tab?

**snip**

Disable administration security  

It should be right below that item. Do you see anything, even a checkbox with blank text? Are you using a custom theme?

There is a check box with no text.   Should I check it?  If yes, then what ?

I just did an install from my Fantastico Suite in my CPanel then installed your SMF Secure Login.

Thanks.

Quote from: icoso on October 01, 2008, 10:43:00 PM
I just did an install from my Fantastico Suite in my CPanel then installed your SMF Secure Login.

Ah, you are probably using Fantastico's broken UTF-8 install (which doesn't install properly). I think that mod is from before I started adding install strings for UTF-8.

If you want the text, copy the lines from Modifications.english.php to Modifications.english-utf8.php.

Can you define the advantages of installing this mod?  I will be getting SSL in the near future.

It keeps any possible intermediaries from sniffing passwords. Some forums might want the extra security, others might not. Of course, if you are getting an SSL certificate for your site, or have one already, you probably already know if you want this mod.

I had wanted it in the past, and seeing as I'm upgrading for the dedicated IP, and the ssl comes free, and I couldn't do it before because of this, I'm pretty sure I want.  :P

I've been using this mod for a while, and it works great for me--I only have one problem, which is that my url differs from what is on the certificate. Shared hosting, the certificate uses the server name, and so it shows a warning, which confuses my users. Is there any way I can manually set the securescript url to match the certificate?

I'm using SMF 1.1.8
My forum is at http://phorum.theworldaccordingtokang.com
The url I want to use for the secure login is https://phorum.alphanum.server297.com/

If this doesn't make sense, I can try to explain better.

You can edit the URL being built in QueryString.php. Open the file and do a search for "// Build the secure version of the string.".

The problem you'll probably run into is that the login is taking place on a completely different domain. Cookies and possibly the login itself won't carry over well if at all. (Cookies won't for sure.)

Thank you for the help, Motoko-Chan. I'll evaluate my options and go from there.

and, could you make a HTTPS secure register mode in SMF? other sites as WL Hotmail they have this.

could you make this possible?

Thanks for all and great mod

i want to translate the addon in german, because in the german admin panel there are only a box and no text. can you send me the text i need to translate? you can write via mail
admin(at)noge-clan(dot)menkisys(dot)net 

nice mod,

Arabic translation attached .

Please update mod to RC5

I'll work on it as soon as I get the time. I know it's been a while, but I really do want to get it updated and working.

Quote from: Groovy™ on May 03, 2011, 01:14:17 PM
Please update mod to RC5

Yes, please update this ASAP! I really need it!

I'll do it as soon as I have time. If you want to pay my salary for a few days so that I can take time off from my day job to update my modifications, I could probably them much faster.

If you already have time to visit a forum so often ... then please take some time to update the mod to RC5, because it really is very much needed :)
I hope you understand me

Quote from: Groovy™ on May 25, 2011, 03:17:21 PM
If you already have time to visit a forum so often ... then please take some time to update the mod to RC5, because it really is very much needed :)

There is replying to posts, then there is working on code. I have very busy days lately (debugging a WebORB Flash/FLEX and .NET application took up my day), and don't often feel much like continuing code when I get home.

As I said earlier:

Quote from: 青山 素子 on May 09, 2011, 01:12:55 AM
If you want to pay my salary for a few days so that I can take time off from my day job to update my modifications, I could probably get to them much faster.

I had this mod installed quite a while back, say around SMF 1.1.11, then had multiple errors when I tried to update it, looked at the manual install and gave up.

Now I"m on 1.1.14, got the latest version of the mod and it still honked up the pre-install test, so I hunkered down with an editor and did it manually.

I can run with the forum accessed as "https" just fine, so the cert's working, but how can I tell that logins from http are secure? Can I get any indication?

Thanks for the mod, and any help!

Bill

Update to 2.0 ???

When. I. Get. Time.

Can you update this please!

Thanks

As soon as I can. Right now, I'm working on getting a multi-million-dollar project launched for a client.

I would also like to see this upgraded for SMF 2.0.1. Just want to let you know that the demand is out there. Hope your project went well or is still going well!

Thank you for the kind words. I hope to find the time to get this back and maintained.

The project launched on Sunday night/Monday morning. It's done okay so far, just mostly minor issues have been found, so now I'm going through the backlog of requests that got pushed away because of that project.

It was actually a trivial change... took me 5 mins to update it.

I removed support for 2.0 betas and increased version number to 1.0.5, hope you don't mind.

http://aldo.mx/files/SMFSecureLogin_1-0-5.zip

Aldo, according to the license I released this under, redistribution is not allowed.

Actually, you know what? Whatever. Have fun. I will not support any modified versions.

Another hopeful fan, hoping you can get the time to update this mod.


Be well,
Bill

Any timeframe for an official release for the current smf version?

OR is the 1.4b sufficient for the current SMF?

ADD: Where can we submit patches? Using a GitHub repo?

Quote from: cfoellmann on September 03, 2012, 05:35:12 AM
Any timeframe for an official release for the current smf version?

When I have time. Right now, I'm quite backlogged. If you want full security, I advise putting the whole site under SSL.

Quote from: cfoellmann on September 03, 2012, 05:35:12 AM
ADD: Where can we submit patches? Using a GitHub repo?

Send them to me in PM for now. Keep in mind that the license is still currently the old SMF license but this may change in the future. Only send me code if you're fine with the license changing on any contributions. I do have a repository, but it's currently a private one over on BitBucket. If I do open it up to the public, you'll see it over there (https://bitbucket.org/motokochan).

Just wondering if others looking for logins under SSL have found another solution. I see the advice of putting the entire login under SSL, how exactly does one do this?

I believe Apache can forward all HTTP URLs to HTTPS. As I understand it, SMF is about a decade behind the rest of the world in supporting HTTPS. That has made me consider possibly dumping SMF in favor of...vBulletin. That would be a shame.

Quote from: badon on December 25, 2012, 12:40:05 AM
I believe Apache can forward all HTTP URLs to HTTPS. As I understand it, SMF is about a decade behind the rest of the world in supporting HTTPS.

Huh? Can you explain what you mean?

To the MOD author, is this OK to be used in the most recent version of SMF 2.0.x?

I have not tested it, but you're free to try. If it installs without issue, it should work fine. Do not force it, or you could end up with a broken forum.

Please also make sure that SSL is functioning properly before turning things on, or it will break logins.

Quote from: 青山 素子 on July 11, 2016, 12:17:22 AM
I have not tested it, but you're free to try. If it installs without issue, it should work fine. Do not force it, or you could end up with a broken forum.

Please also make sure that SSL is functioning properly before turning things on, or it will break logins.

It has alot of errors for me.
So i'd say probably wise not to install it.

(https://www.simplemachines.org/community/proxy.php?request=http%3A%2F%2Fi.imgur.com%2F1mT8PJ0.png&hash=1df65dff96abe1931dc5f171997a3ec992023254)

Is this mod going to be updated to support the latest version of SMF as I can't use any version of this mod with the latest SMF updates.

It might be updated eventually. However, given changes in the Internet, including the increased emphasis on securing the web, it is a better idea to run everything over SSL rather than the login process only.

I know I dig out the dead but I desperately need to secure my login site via https. I run 2.0.15 now and I changed the forum url already to https and my forum can only be accessed when logged in. Nonetheless, the login page presented at forumhome now is still http by default.

@fritz_ch, do you have any mixed content on your "forumhome" page?  All the links in your page should be coded "https://", not "http://".

Also, the information on these page might help you work out the problem.

https://www.simplemachines.org/community/index.php?topic=555034.0

https://developers.google.com/web/fundamentals/security/prevent-mixed-content/what-is-mixed-content#mixed_content_weakens_https

I seriously recommend securing the entire site using HTTPS, and not just the login page. It's much easier to do since there is no mod needed and some search engines give a slightly higher preference to HTTPS sites over non-secure.

In older days, there was often a performance penalty for HTTPS, but with servers in the last two or three years this is no longer a concern. If you can set up HTTPS for the login, you can certainly afford to run the whole system that way.