Recent Topics
  1. b2evolution CMS Support Forums
  2. b2evolution Support
  3. General Support
  4. Site-wide SSL support

Site-wide SSL support

1 Jun 16, 2011 22:22    

My b2evolution Version: Not Entered

Hi, I would like to secure all my blog pages with SSL. I know that one can change the conf/_advanced.php variable $htsrv_url_sensitive so that logins and such happen over SSL. But I'd like wider support of SSL. A few things prompt this:

[list]

  • Tools like Firesheep could likely easily be used to capture my b2evolution authentication cookie while I'm logged in, giving an adversary admin capabilities.

  • I'd like users to be able to have the option of surfing my blog using SSL.

    • [/list:u]

    The first is the one I'm most concerned about at the moment. It seems like any logged-in b2evo user is at risk of having their cookie stolen (say, if you're surfing on open WiFi without using an VPN, etc.) and then having their account used or modified. Admin users could suffer much more damage.

    One fix could be to change $base_url conditionally if the user is logged in, such that all their pages were served over SSL until they logged out.

    Does anyone see any problems with this? (I'm going to go and change $base_url for the fun of it right now!).

    Back to top

    2 Jun 16, 2011 22:31

    Yeah, ok... I'm an idiot. Changing to SSL site-wide is as easy as changing the $baseurl in conf/_basic_config.php to https. Duh.

    Back to top

    3 Jun 17, 2011 13:55

    Hi, how do you change the conf/_advanced.php variable $htsrv_url_sensitive so that logins and such happen over SSL? I looked at the code but there are no instructions how to do so.

    By the way, I receive a warning (certificate invalid) when I visit your website. It seems the https-connection applies to all visitirs regardsless if logged in or not.

    Back to top

    4 Jun 17, 2011 14:21

    Hi, you can see how to change that here: http://forums.b2evolution.net/viewtopic.php?t=21982

    Yes, you get an invalid cert warning at my site because it's a self-signed certificate (I can't afford to pay a CA to sign my cert just yet). Changing the $baseurl in conf/_basic_config.php to https:// is the only way to force all logged in users to have their sessions encrypted.

    Back to top


    Form is loading...