1
piar
How to use SSL for login?
  • 2008/11/12 11:33

  • piar

  • Just popping in

  • Posts: 22

  • Since: 2008/10/30


I've found that there are some options in General Settings for making a secure login:
Use SSL for login?
SSL Post variable name
URL where SSL login page is located

Can someone explain me how to use them? I changed Use SSL for login to 'yes', but it seems that it is still done without SSL. And what should I put as URL where SSL login page is located? Now there is just default 'https: //'. Should I put there
https: //mydomain.com/user.php
or there is some another special file for secure login?

Could you also write me what is the difference when I have 'no' in Use SSL for login field but I put in my browser for logging address:
https: //mydomain.com/user.php
?

Regards

2
sailjapan
Re: How to use SSL for login?

Quote:
To be able to create an SSL connection a web server requires an SSL Certificate. When you choose to activate SSL on your web server you will be prompted to complete a number of questions about the identity of your website and your company. Your web server then creates two cryptographic keys - a Private Key and a Public Key.


more at SSL.com

(after reading this, you need to talk with your hosting provider)
Never let a man who does not believe something can be done, talk to a man that is doing it.

3
piar
Re: How to use SSL for login?
  • 2008/11/12 15:15

  • piar

  • Just popping in

  • Posts: 22

  • Since: 2008/10/30


Thank you for your reply to my post.

In my server there is some SSL Certificate. In fact it isn't yet registered in the Certification Authority but this is not a problem. I don't need secure connection for customers of my site - I want it just for editor/administrator purposes.

But I don't know what to do to have this SSL working properly in XOOPS. When I put in my browser: https: //mydomain.com/user.php I get information that there is something wrong with certificate (it is clear because it is not registered), and then after pressing 'continue' I get information that some elements on page aren't secure. After I log in I see administration panel and address in browser become http: // (so after login browser is redirected to unsecure connection).

Could someone give here some quick tutorial what to do to have one of that scenarios:
1) loging into administration panel and making every operations using https;
2) use SSL just for login and then making all operations without SSL?

I see that there are that 3 fields concerning SSL in General Settings of XOOPS but I don't know how to use them :(

4
ghia
Re: How to use SSL for login?
  • 2008/11/12 15:44

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


It seems it is functioning well in the current limits.
Check this out.

5
piar
Re: How to use SSL for login?
  • 2008/11/12 16:20

  • piar

  • Just popping in

  • Posts: 22

  • Since: 2008/10/30


Thank you!

I've already read that instruction but I still wonder if I couldn't use somehow built-in mechanism of XOOPS. I'm sure that there is something like that because of that three fields concerning SSL in General Settings. Maybe I just should enter there something and I will have secure login (my 2. scenario) without changing anything in code?

6
sailjapan
Re: How to use SSL for login?

I think you misunderstand the nature of SSL.

The SSL process works as follows:

1. Client connects to web server and gives a list of available ciphers.
2. Server picks the strongest cipher that both it and the client support, and sends back a certificate with its name and public encryption key, signed by a trusted Certificate Authority (such as Verisign).
3. The client checks the certificate with the CA. In practice, clients tend to have a collection of CAs locally, so this can be done without having to contact the CA in realtime, and therefore more quickly.
4. The client sends back a random number encrypted with the server's public key. Only the client knows the number, and only the server can decrypt it (using its private key); this is where the third-party security comes in.
5. Server and client use this random number to generate key material to use for the rest of the transaction.

Step by Step: Configuring SSL

You have to apply for a certificate from a Certificate Authority, XOOPS can use this once you have it, but cannot create it for you.
Never let a man who does not believe something can be done, talk to a man that is doing it.

7
piar
Re: How to use SSL for login?
  • 2008/11/12 17:20

  • piar

  • Just popping in

  • Posts: 22

  • Since: 2008/10/30


Yes but apache on that server has already SSL configured (Certificate is generated and installed on server it isn't just registered in Certificate Authority).
And for example I can run in browser: https ://mydomain.com/user.php - it works (page is opened).

But I don't know how to use that three fields concerning SSL in General settings of XOOPS. What should I put there? I changed for example 'Use SSL for login' from default 'no' to 'yes' but I didn't notice any difference in behaviour of site. And I don't know what to put in 'URL where SSL login page is located' - https: //mydomain.com/user.php or something else?

8
piar
Re: How to use SSL for login?
  • 2008/11/12 23:45

  • piar

  • Just popping in

  • Posts: 22

  • Since: 2008/10/30


I was searching in code of XOOPS concerning SSL and I found that when that 'Use SSL for login' is set to 'yes' then in login block appears a link to secure login. When user presses that link a new browser window popping up with addres provided in 'URL where SSL login page is located' field. So now I know what for are that three fields and I know that it is not what I am looking for.
I will problably have to implement SSL as it is in that post which ghia linked here.

Thank you sailjapan and ghia for helping me with that problem!

9
bumpeboy
Re: How to use SSL for login?
  • 2009/10/31 0:04

  • bumpeboy

  • Friend of XOOPS

  • Posts: 170

  • Since: 2008/10/4


I would like to use the XOOPS SSL login page.

I have the certificate and its already installed on my server under.

/ssl/private/mydomain.tld.key
/ssl/certs/mydomain.tld.crt
/ssl/certs/mydomain.tld.cabundle

1. So how do i make XOOPS SSL login work on the whole site?
2. Is it possible to have all un logged in users to view the unsecured and only the logged in users to use the secured area?





10
ghia
Re: How to use SSL for login?
  • 2009/10/31 9:29

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


-1- You must copy users.php to the directory where the https files reside and activate it with the preference in system general.
-2- That would require a change in mainfile.php to adapt the XOOPS_URL at the case. Have a look at the multix multisite files.

Login

Who's Online

236 user(s) are online (138 user(s) are browsing Support Forums)


Members: 0


Guests: 236


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Mar 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits