News:

Wondering if this will always be free?  See why free is better.

Main Menu

Unable to enable SSL cookies

Started by MobileCS, January 15, 2018, 11:44:59 PM

Previous topic - Next topic

MobileCS

I've just converted my website to HTTPS and the option to enable SSL cookies is grey'd out. My settings file is writable.

Does SMF try to detect HTTPS before allowing that option to be set?

If so, it will not be detected on my site as I use Nginx in front of Apache and "proxypass" via HTTP. I do not have SSL enabled in Apache.

How can I manually bypass this restriction?

MobileCS

Adding the following to Settings.php solved the issue.

$_SERVER['HTTPS'] = 'on';

Is this safe to use in my situation?

Aleksi "Lex" Kilpinen

Those are actually really good questions, ones i'm unable to give a good answer to -
but you can check your current Cookies status easily if you use Chrome.

Chrome DevTools -> Application Panel -> Cookies, and see if your Cookie is set as secure.
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

MobileCS

The cookies are not secure right now.

Aleksi "Lex" Kilpinen

This is an area where I feel I must repeat I am not very familiar with - but I did find more than a few websites that seem to deal with a similar situation through Nginx configuration.

I hope someone with more experience on the issue can help you further, but this seemed like a good starting point to me
https://geekflare.com/httponly-secure-cookie-nginx/
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Arantor

The problem is that SMF tries to detect if HTTPS is in use and it can't know that it is because of the proxy.

Assuming you don't allow traffic over HTTP and always redirect to HTTPS, what you've done in Settings.php should be safe.

MobileCS

Quote from: Arantor on January 19, 2018, 08:33:18 AM
The problem is that SMF tries to detect if HTTPS is in use and it can't know that it is because of the proxy.

Assuming you don't allow traffic over HTTP and always redirect to HTTPS, what you've done in Settings.php should be safe.

Thank you!

Yes, I have Nginx set to redirect all traffic to HTTPS.

Aleksi "Lex" Kilpinen

Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Advertisement: