SMF Secure Login

[fgoc]

Is there any way that this can be addapted to include a secure registration too? My forum asks for quite a lot of personal data when people register so would like to have this secure and encrypted?

[whateveropolis]

My forum is accessed via:

https:hxxp:example.com [nonactive]

The login form is already sent and submitted securely (since the entire site is encrypted). What would this mod do?

[青山 素子]

It would not do anything for you. This mod allows the password forms to be served securely (if the server is set up correctly) while the rest is normally accessed. If your whole forum is secure, then this won't do anything.

[whateveropolis]

Thanks for the quick reply.

At the moment, I redirect http visitors to https (via the .htaccess file). If I allowed both types of access,, would the mod cause the login form to fail when the forum was accessed via https (such as by appending an extra "s" somewhere)?

Also, are you aware of any advantage to securing only the login form?

[青山 素子]

At the moment, I redirect http visitors to https (via the .htaccess file). If I allowed both types of access,, would the mod cause the login form to fail when the forum was accessed via https (such as by appending an extra "s" somewhere)?

It's been a while since I wrote this, but I do remember that the logic checks the URL and sees if the forum URL has https in it already. If so, it just uses the same for the secure URL. If not, it constructs one. So no, it shouldn't cause an issue.

Also, are you aware of any advantage to securing only the login form?

SSL connections have more overhead than non-encrypted ones, due to the extra computations needed to encrypt the contents. If you only feel the need to give logins a bit more security, then you don't need to encrypt the whole forum - just the password parts. If there is sensitive data being posted for some reason, or you just don't want snoopers on the line, it is best to encrypt the connection all the time.

[LinK187]

I'm not using the default theme. What lines need to be added/modifed? and where?

[青山 素子]

Use the new install instructions feature of the site!

Simply choose the version of SMF you are using from the dropdown by "Manual Install Instructions for SMF" and you'll see what changes you need to make to things.

[LinK187]

got a url?

[青山 素子]

got a url?

Go to the page where you can download this modification. It's there.

[LinK187]

Maybe I'm blind, I don't see anything about theme modification at either of the two sites.

[青山 素子]

SMF Secure Login

Over on the right where the downloads are. Right below the two links, where it says "Manual Install Instructions for SMF". Choose your version and submit. You'll get a page listing all the changes.

[LinK187]

Unless I'm looking in the wrong place, I still can't find any options for this mod. Perhaps you could install aa_a_new_damage on your forum or a test forum and show me what code you added/modified.

[青山 素子]

If I have to do that, you'll probably be waiting a few weeks - or months. I'm rather backlogged right now (I barely have time to post this).

Since AA New Damage is 1.1-only afaik, try this direct link to the installation for the mod for 1.1.5

Find the sections beginning with "./Themes/default/" and check them out. If you have a file of the same name in the custom theme, follow the instructions. If you don't then you are using the default theme file for that and don't need to do anything special.

[LinK187]

I did.. and my forum is 1.1.5... nvm i just won't install the mod. I can't be assed any longer trying to guess what code does what and doing fruitless scavenger hunts. peace 

[Sudhakar Arjunan]

Hey Motoko Chan ,

The mod you have updated is really interesting.
A very quick question from you.

I have my forum at www.sitename.com/forum/

I would like to connect my login outside the forum for ex: @ www.sitename.com

so i have included SSI.php in prefix to the index file locate at sitename.com/index.php

Could you help me to complile the login action from this index.php to forum page.

- Thanks in Advance.

Reference Post @ http://www.simplemachines.org/community/index.php?topic=248550.0

[icoso]

Dear Motoko-chan,

I am trying to use SSL for my site,  I installed this Mod but I cannot find an "option" in the Features and Settings admin page for this feature.  According to my Modifications Packages screen, the SMF Secure Login 1.0.4 is installed.    where is this option turned listed at?

I have a couple of issues/questions.
If I browse to the URL hxxp:mysite.org/board [nonactive] the login works and the site appears to use https throughout.  BUt I don't understand why this works because I didn't turn anything on inthe features admin page.  However, I use a redirect in the .htaccess file to ensure that my entire site is being viewed via https.  It looks like:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) hxxp:www.mysite.org [nonactive]%{REQUEST_URI} [L]

RewriteCond %{HTTPS} on
RewriteCond %{HTTP_HOST} ^mySite\.org
RewriteRule (.*) hxxp:www.mysite.org [nonactive]%{REQUEST_URI} [R,L]

If I have this in my .htaccess file then I can't log into my bulletin board.  Any ideas/suggestions?

[青山 素子]

I am trying to use SSL for my site,  I installed this Mod but I cannot find an "option" in the Features and Settings admin page for this feature.  According to my Modifications Packages screen, the SMF Secure Login 1.0.4 is installed.    where is this option turned listed at?

It depends on what version of SMF you are using. The README displays the locations:

How to Use
----------
SMF 1.1: A new option is added to the Features and Settings admin page.

SMF 2.0: A new option is added to the Security and Moderation General page.

I have a couple of issues/questions.
If I browse to the URL https://mysite.org/board the login works and the site appears to use https throughout.  BUt I don't understand why this works because I didn't turn anything on inthe features admin page.

There is built-in support for keeping an SSL session in SMF if you first browse to it that way. You don't need any kind of mod if you want to use SSL for everything. This mod allows you to only use SSL for login actions, but will return you to non-secured otherwise.

However, I use a redirect in the .htaccess file to ensure that my entire site is being viewed via https.  It looks like:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://www.mysite.org%{REQUEST_URI} [L]

RewriteCond %{HTTPS} on
RewriteCond %{HTTP_HOST} ^mySite\.org
RewriteRule (.*) https://www.mysite.org%{REQUEST_URI} [R,L]

If I have this in my .htaccess file then I can't log into my bulletin board.  Any ideas/suggestions?

That would be something for general support.

[icoso]

Here is my version info:

Mod Name     Version     
1.    SMF 1.0.14 / 1.1.6 Update    1.0    
2.    SMF Secure Login    1.0.4

On my Basic features, Layout and Options, Karma, Core Config, Feature Config,  nor any of the themes pages in my admin do I see an option that says anything about SSL.  What does this new option actually state?  I cant find it.

If I visit my SMF login page without using https:, ie: hxxp:mysite.org [nonactive] it does not redirect me to https://mySite.org  (this is what i would expect it to do.)  Although the form action is calling the https:// <form action="hxxp:mysite.org/board/index.php?action=login2 [nonactive]" method="post" ...

Then once I login I get redirected to an https site. Is this what its supposed to do?   If yes,  I guess I was just confused because I do not see the option that was referenced on the install instructions.

[青山 素子]

Here is my version info:

Mod Name     Version     
1.    SMF 1.0.14 / 1.1.6 Update    1.0    
2.    SMF Secure Login    1.0.4

So, um, you are using SMF 1.1 then.

On my Basic features, Layout and Options, Karma, Core Config, Feature Config,  nor any of the themes pages in my admin do I see an option that says anything about SSL.  What does this new option actually state?  I cant find it.

The option text is "Use a secure (SSL) login". For SMF 1.1, it will be right below the option to disable admin security checks.

If I visit my SMF login page without using https:, ie: http://mysite.org it does not redirect me to https://mySite.org  (this is what i would expect it to do.)  Although the form action is calling the https:// <form action="https://mysite.org/board/index.php?action=login2" method="post" ...

Then once I login I get redirected to an https site. Is this what its supposed to do?   If yes,  I guess I was just confused because I do not see the option that was referenced on the install instructions.

This mod is only for enabling SSL on the login submission. Everything else should be non-secure. If you want everything to always be via SSL, edit your forum URL, theme URLs, and Smiley URLs.

If the option is enabled for SSL with the mod, you will see the form post to the SSL address, then you should drop back to an unsecured connection.

[icoso]

Dear Motoko-chan,

I am not trying to be difficult,  but where is this option located?  Under what menu and tab?

Here is teverything that is listed under my Basic Features:

Poll mode  Disable polls Enable polls Show existing polls as topics 

--------------------------------------------------------------------------------

Allow guests to browse the forum   
Enable user-selectable language support   
Allow users to edit their displayed name?   
Allow non-administrators to hide their online status?   
Allow users to hide their email from everyone except admins?   
Do not reveal contact details of members to guests   
Enable custom titles   
Enable buddy lists   
Default personal text   
Maximum allowed characters in signatures
(0 for no max.)   

--------------------------------------------------------------------------------

Default time format   
Default number format  1234.00 1,234.00 1.234,00 1 234,00 1234,00 
Overall time offset
(added to the member specific option.)   
Failed login threshold   
User online time threshold   
Track daily statistics   
Track daily page views (must have stats enabled)   
Enable error logging   
Disable administration security   
   

--------------------------------------------------------------------------------

Require reactivation after email change   
Require admin approval when member deletes account   

--------------------------------------------------------------------------------

Allow users to disable announcements   
Don't allow post text in notifications?   
Log moderation actions   
Search engine friendly URLs
Apache only!   

--------------------------------------------------------------------------------

Max width of posted pictures (0 = disable)   
Max height of posted pictures (0 = disable)   

--------------------------------------------------------------------------------

Enable reporting of personal messages   
Maximum number of recipients allowed in a personal message.
(0 for no limit, admins are exempt)   
Post count under which users must enter code when sending personal messages.
(0 for no limit, admins are exempt)   
Number of personal messages a user may send in an hour.
(0 for no limit, moderators are exempt)

Here is everything under Layout and Options:

Limit number of displayed page links   
Contiguous pages to display:
"3" to display: 1 ... 4 [5] 6 ... 9
"5" to display: 1 ... 3 4 [5] 6 7 ... 9   

--------------------------------------------------------------------------------

Enable "Today" feature  Disabled Only Today Today & Yesterday 
Enable Go Up/Go Down buttons   
Show online/offline in posts and PMs   
Show a quick login on every page   

--------------------------------------------------------------------------------

Members per page in member list   

--------------------------------------------------------------------------------

Display time taken to create every page   
Disable hostname lookups?   

--------------------------------------------------------------------------------

Enable who's online list

I dont see anything labeled "Use a secure (SSL) login".  Since SMF Secure Login is listed under my packages menu and there is a little green button next to it, It would appear it is instaled correctly.

What am I missing?

Thanks for your help.