I've just converted my website to HTTPS and the option to enable SSL cookies is grey'd out. My settings file is writable.
Does SMF try to detect HTTPS before allowing that option to be set?
If so, it will not be detected on my site as I use Nginx in front of Apache and "proxypass" via HTTP. I do not have SSL enabled in Apache.
How can I manually bypass this restriction?
Adding the following to Settings.php solved the issue.
$_SERVER['HTTPS'] = 'on';
Is this safe to use in my situation?
Those are actually really good questions, ones i'm unable to give a good answer to -
but you can check your current Cookies status easily if you use Chrome.
Chrome DevTools -> Application Panel -> Cookies, and see if your Cookie is set as secure.
The cookies are not secure right now.
This is an area where I feel I must repeat I am not very familiar with - but I did find more than a few websites that seem to deal with a similar situation through Nginx configuration.
I hope someone with more experience on the issue can help you further, but this seemed like a good starting point to me
https://geekflare.com/httponly-secure-cookie-nginx/
The problem is that SMF tries to detect if HTTPS is in use and it can't know that it is because of the proxy.
Assuming you don't allow traffic over HTTP and always redirect to HTTPS, what you've done in Settings.php should be safe.
Quote from: Arantor on January 19, 2018, 08:33:18 AM
The problem is that SMF tries to detect if HTTPS is in use and it can't know that it is because of the proxy.
Assuming you don't allow traffic over HTTP and always redirect to HTTPS, what you've done in Settings.php should be safe.
Thank you!
Yes, I have Nginx set to redirect all traffic to HTTPS.
Is this solved then? :)