Force SSL Administrator Only - Can't Login

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
TIMMY
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Thu Nov 06, 2008 5:16 pm

Force SSL Administrator Only - Can't Login

Post by TIMMY » Thu Nov 05, 2009 9:23 pm

I have got a SSL certificate installed on my Joomla site, but when I choose the option in the global configuration 'Force SSL Administrator Only', I then can't login to the backend, it just loops. I am running 1.5.15, is there a fix for this?

cloaked0
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Thu Nov 05, 2009 12:20 am

Re: Force SSL Administrator Only - Can't Login

Post by cloaked0 » Fri Nov 06, 2009 3:15 am

Hi i have the same problem. I created a free SSL cert in my hosts cpanel and set force ssl admin in the joomla configuration. When i try to open with chrom it just tries to open forever (but doesnt succeed) and IE 8 just shows The webpage cannot be found. How do i get it to work?

@TIMMY: if you cant access backend just edit var $force_ssl = '1'; to 0 in configuration.php

User avatar
fw116
Joomla! Ace
Joomla! Ace
Posts: 1365
Joined: Tue Sep 06, 2005 11:18 am
Location: Germany

Re: Force SSL Administrator Only - Can't Login

Post by fw116 » Fri Nov 06, 2009 11:35 am

how about :

https://www.yourtsite.com/administrator ?

you dont have to force anything...

just https instead of http...

TIMMY
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Thu Nov 06, 2008 5:16 pm

Re: Force SSL Administrator Only - Can't Login

Post by TIMMY » Fri Nov 06, 2009 1:34 pm

Thanks for the reply, the login loop happens when using https.

cloaked0
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Thu Nov 05, 2009 12:20 am

Re: Force SSL Administrator Only - Can't Login

Post by cloaked0 » Fri Nov 06, 2009 7:08 pm

fw116 wrote:how about :

https://www.yourtsite.com/administrator ?

you dont have to force anything...

just https instead of http...
it doesnt matter. this happens if we use https (forced or not)

netro1
Joomla! Apprentice
Joomla! Apprentice
Posts: 44
Joined: Mon Nov 09, 2009 9:46 am

Re: Force SSL Administrator Only - Can't Login

Post by netro1 » Mon Nov 09, 2009 10:20 am

I think I just had the same (or at least a similar) problem but managed to fix it!

Details of my problem and what I did to fix it are here:

http://forum.joomla.org/viewtopic.php?f=433&t=458713

Hope it helps :)

User avatar
Alextampa
Joomla! Guru
Joomla! Guru
Posts: 557
Joined: Fri Jan 09, 2009 3:16 pm
Location: Tampa

Re: Force SSL Administrator Only - Can't Login

Post by Alextampa » Mon Nov 09, 2009 8:57 pm

its because you dont have www or non www consistant more than likely

cloaked0
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Thu Nov 05, 2009 12:20 am

Re: Force SSL Administrator Only - Can't Login

Post by cloaked0 » Mon Nov 09, 2009 9:02 pm

its not that.. its a server side problem... thanks for the input guys

building252
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Sat Feb 06, 2010 5:34 am

Re: Force SSL Administrator Only - Can't Login

Post by building252 » Thu Feb 25, 2010 3:05 am

anyone figure this out? I'm having the same problem. It's driving me nuts.

building252
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Sat Feb 06, 2010 5:34 am

Re: Force SSL Administrator Only - Can't Login

Post by building252 » Thu Feb 25, 2010 3:29 am

Figured it out...at least for me. Make sure your - var $live_site = 'https://www.yourdomain.com'; has the https in it.

Loop is gone... :)

Searz
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Sun Jan 24, 2010 4:13 am

Re: Force SSL Administrator Only - Can't Login

Post by Searz » Thu May 27, 2010 12:50 am

I changed $var livesite in the configuration.php file from http to https - I can now login to the backend of my site, but now the whole site is forced to use https, which I don't want.

I only need administrators and users who are logged in to use a secure URL.

This problem occurred after installing Joomla 1.5.17.

Is there an issue with the Force URL in Global Configuration? Are there any ideas for this? I can't seem to get a solid answer about secure and non-secure URL redirection with the latest version of Joomla.

Thanks.

wirecreative
Joomla! Apprentice
Joomla! Apprentice
Posts: 48
Joined: Mon Mar 10, 2008 6:52 pm

Re: Force SSL Administrator Only - Can't Login

Post by wirecreative » Tue Aug 10, 2010 10:00 pm

I have this problem, too, on a site using ver 1.5.20.

Had to turn off the forced admin SSL to login again.

If there are any fixes for this, they would be appreciated by many.

Searz
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Sun Jan 24, 2010 4:13 am

Re: Force SSL Administrator Only - Can't Login

Post by Searz » Wed Aug 11, 2010 3:15 am

wirecreative wrote:I have this problem, too, on a site using ver 1.5.20.

Had to turn off the forced admin SSL to login again.

If there are any fixes for this, they would be appreciated by many.

I've since upgraded to 1.5.20 and yep... still the same problem.

There's also now an issue with the contact form in Joomla, where a user can submit their details/messages and I receive their information in my inbox fine, but the user receives no confirmation page to let them know that their message has been sent. The contact form just tends to loop. I think this might have something to do with the SSL connection as well.

Lets hope there's a nice big brain out there who can lend us a hand! :)

User avatar
CorePressure
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 246
Joined: Thu Dec 03, 2009 6:34 pm
Location: Bucharest
Contact:

Re: Force SSL Administrator Only - Can't Login

Post by CorePressure » Mon Aug 16, 2010 1:17 am

Just leave the live_site thing empty...
Core Pressure - Joomla! Tutorials + Videos
http://www.corepressure.com
Follow CorePressure.com Updates via Twitter @:
http://www.twitter.com/CorePressure

wirecreative
Joomla! Apprentice
Joomla! Apprentice
Posts: 48
Joined: Mon Mar 10, 2008 6:52 pm

Re: Force SSL Administrator Only - Can't Login

Post by wirecreative » Mon Aug 16, 2010 8:15 am

CorePressure wrote:Just leave the live_site thing empty...
The SEF component I use, sh404sef, requires a value in that variable, so that's not an option.

Searz
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Sun Jan 24, 2010 4:13 am

Re: Force SSL Administrator Only - Can't Login

Post by Searz » Tue Aug 17, 2010 12:11 am

wirecreative wrote:
CorePressure wrote:Just leave the live_site thing empty...
The SEF component I use, sh404sef, requires a value in that variable, so that's not an option.
Yeah I don't think it's a good idea to remove that.

SamBC
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Mon May 24, 2010 5:54 pm

Re: Force SSL Administrator Only - Can't Login

Post by SamBC » Fri Aug 20, 2010 2:20 pm

I'm experiencing this as well. As far as I can tell, unless I'm willing to make the whole site force SSL the best I can get for having the admin side use SSL is manually using it when logging in... it then redirects back to the the non-SSL URL, which seems to cause a loop when admin SSL-forcing is enabled.

However, looking at the docs it should be fine - in most cases - to set live_site to the empty string. I'm going to try this. Someone should be looking at fixing this even when live_site is set, though

atolero
Joomla! Apprentice
Joomla! Apprentice
Posts: 19
Joined: Fri Dec 08, 2006 3:26 pm

Re: Force SSL Administrator Only - Can't Login

Post by atolero » Wed Sep 01, 2010 1:16 am

if even force ssl but in live_site you change for https://livesite.com it works.
the problem is that with sh404sef activated if the user types http://livesite.com the page goes 404!
trying to figure it out.

SamBC
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Mon May 24, 2010 5:54 pm

Re: Force SSL Administrator Only - Can't Login

Post by SamBC » Wed Sep 01, 2010 6:05 pm

The conclusion I eventually reached was that, if live_site is set, all links and redirects will use that as the base. Thus, if forcing of SSL is admin only, and you set live_site to none-SSL, it'll keep breaking. If force SSL is admin only, and you set live_site to SSL, links and redirects on the frontend will also be to SSL. This is not a good thing if you're using an internal CA or a self-signed cert.

If you do not set live_site, it will apparently work fine in most cases. It's working great for me right now.

jabbott777
Joomla! Intern
Joomla! Intern
Posts: 51
Joined: Tue Jan 26, 2010 10:37 pm

Re: Force SSL Administrator Only - Can't Login

Post by jabbott777 » Thu Sep 09, 2010 4:29 pm

Is there any update on this bug? I am also using SH404SEF and I have to have something in live_site.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15006
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Force SSL Administrator Only - Can't Login

Post by mandville » Thu Sep 09, 2010 9:42 pm

jabbott777 wrote:Is there any update on this bug? I am also using SH404SEF and I have to have something in live_site.
have you asked sh404 to fix their "bug" ?
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

jabbott777
Joomla! Intern
Joomla! Intern
Posts: 51
Joined: Tue Jan 26, 2010 10:37 pm

Re: Force SSL Administrator Only - Can't Login

Post by jabbott777 » Sat Sep 11, 2010 5:40 am

Riiiiight. Thanks for your help man, it was invaluable, really. But in the meantime I have discovered if you core hack libraries/joomla/environment/uri.php

Code: Select all

if(JPATH_BASE == JPATH_ADMINISTRATOR)
{
$force_ssl = $config->getValue('config.force_ssl');

if($force_ssl > 0)
{
$base['prefix'] = ereg_replace("http://","https://",$base['prefix']);
}

$base['path'] .= '/administrator';
}

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20243
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: Force SSL Administrator Only - Can't Login

Post by leolam » Sat Sep 11, 2010 8:52 am

You can use your .htaccess file for this without having to change code.

Force HTTPS for certain pages:

Code: Select all

########## Begin - Force HTTPS for certain pages
# Force the page foobar.html to run in HTTPS mode, no matter what Joomla! says.
RewriteCond %{HTTPS} ^off$ [NC]
RewriteRule ^foobar\.html$ https://www.domain.com/foobar.html [L,R=301]
########## End - Force HTTPS for certain pages
foobar is example ....replace by real links...same for domain.com which should be your real domain name...in other words you need to change this line and copy for those pages needed:

Code: Select all

RewriteRule ^foobar\.html$ https://www.domain.com/foobar.html [L,R=301]
In case you wish to force HTTPS for a particular folder you can use:

Code: Select all

RewriteEngine On 
RewriteCond %{SERVER_PORT} 80 
RewriteCond %{REQUEST_URI} somefolder 
RewriteRule ^(.*)$ https://www.domain.com/somefolder/$1 [R,L]
Rewrite to SSL or NON-SSL using relative URL:

Code: Select all

RewriteRule ^/(.*):SSL$   https://%{SERVER_NAME}/$1 [R,L]
RewriteRule ^/(.*):NOSSL$ http://%{SERVER_NAME}/$1 [R,L]
Hope this helps

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Webmaster Services: gws-webmaster.services

fuzzkiwi
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Sat Sep 11, 2010 2:32 am

Re: Force SSL Administrator Only - Can't Login

Post by fuzzkiwi » Wed Oct 13, 2010 11:57 pm

I like the idea of the .htaccess solution but the file change for administrator folder to stay ssl and not keep looping back to login...did not work. Not for me anyway. I must need to change other stuff in that file..and I don't like the idea without knowing what the heck I am breaking :)

trebuhregnilmir
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Mon May 16, 2011 9:48 am

Re: Force SSL Administrator Only - Can't Login

Post by trebuhregnilmir » Mon May 16, 2011 10:04 am

Hi everyone,

As many other people, I checked "Force SSL" in my backend. So, I could no more have access to backend.

However it was post Nov 2009, For me "cloaked0" tip worked fine on Joomla 1.5.23:

"if you cant access backend just edit var $force_ssl = '1'; to 0 in configuration.php"

I did it and could again have access to my backend.

Thx to cloaked0 for the help!

tez
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 248
Joined: Tue Nov 14, 2006 3:29 am
Contact:

Re: Force SSL Administrator Only - Can't Login

Post by tez » Wed May 18, 2011 12:39 pm

I suddenly got this problem on my site for no reason I can see. Its weird.
I've been using SSL admin for a long time, now it wont work.

avedis777
Joomla! Apprentice
Joomla! Apprentice
Posts: 14
Joined: Thu Jun 16, 2011 2:42 am

Re: Force SSL Administrator Only - Can't Login

Post by avedis777 » Thu Jun 16, 2011 2:45 am

Has anyone found a solution for this?

I have to have $live_site set to "http..." because after the user completes vm orders I need the site to return to http when users clicks home.

I would like the back end to be secured but I am dealing with the login loop issue...any fixes for this?

tez
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 248
Joined: Tue Nov 14, 2006 3:29 am
Contact:

Re: Force SSL Administrator Only - Can't Login

Post by tez » Thu Jun 16, 2011 3:50 am

nope, I didn't find a fix. I was hosting on Dreamhost and I asked them but they didn't understand the problem.

avedis777
Joomla! Apprentice
Joomla! Apprentice
Posts: 14
Joined: Thu Jun 16, 2011 2:42 am

Re: Force SSL Administrator Only - Can't Login

Post by avedis777 » Thu Jun 23, 2011 12:52 am

I think the problem comes from having the $live_site variable set to an http:// and is trying to force the administrator back to http after the force SSL option is forcing it to SSL but I don't know enough about joomla development to see if this is what's going on and how to fix it.

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2734
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: Force SSL Administrator Only - Can't Login

Post by PhilD » Fri Jun 24, 2011 1:16 pm

Please refrain from dredging up topics that are a year or more old. If you have an similar issue then please make a new fresh post about the issue. Joomla has had several changes and web server software has also changed. This may make an old topic irrelevant or may make a solution different for a newer version.

The ""if you cant access backend just edit var $force_ssl = '1'; to 0 in configuration.php"" is the standard way to fix the issue if you are locked out by turning ssl on when you do not have the proper certificate setup.

One caveat is if Joomla has set your configuration.php file to 444, your ftp upload of the file (download of file will work fine) after the fix will fail as the file on the server is read only and can not be overwritten by the file you are trying to upload. If your not paying attention, You may not notice the failure, and wonder then why the solution did not work. The fix for that is to first change the permission of the file to 644 then download the file, fix it, then upload the file back, and then change permissions back to 444 on the file.
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator


Locked

Return to “Security in Joomla! 1.5”