Page 1 of 1
Admin login form targets HTTP instead of HTTPS
Posted: Fri Dec 09, 2016 8:35 pm
by devguy
I have defined HTTPS in my config for both frontend and admin.
Everything seems fine apart from the admin login form. Its action is pointed to the HTTP instead of HTTPS.
If I enable HTTP admin to login then switch to HTTPS everything is fine but when I define HTTPS everywhere the login form still points to HTTP so I can't log in due to mixed content.
What constant is used to determine the action URL of the login form?
Re: Admin login form targets HTTP instead of HTTPS
Posted: Fri Dec 09, 2016 9:01 pm
by thekrotek
Check your .htaccess - it might have HTTP redirection defined. Also check config.php and make sure, it points to HTTPS everywhere.
Re: Admin login form targets HTTP instead of HTTPS
Posted: Fri Dec 09, 2016 9:13 pm
by devguy
The issue is the forms target is "
http://domain.com/admin/index.php?route=common/login".
.htaccess rules are applied by apache on requests, as far as I am aware it doesn't rewrite the actual HTML. All the config.php constant values point to HTTPS.
That is:
//HTTP
define('HTTP_SERVER', '
https://domain.com/admin/');
define('HTTP_CATALOG', '
https://domain.com/');
define('HTTP_IMAGE', '
https://domain.com/image/');
define('HTTP_ADMIN', '
https://domain.com/admin/');
// HTTPS
define('HTTPS_SERVER', '
https://domain.com/admin/');
define('HTTPS_CATALOG', '
https://domain.com/');
define('HTTPS_IMAGE', '
https://domain.com/image/');
define('HTTPS_ADMIN', '
https://domain.com/admin/');
Did I miss any? I added this to admin config.php also.
I looked in the files that generate the form and it is populated by a variable "$action" so somewhere in the page lifecycle it is being set incorrectly. I think it is done by starter/router.php but I am not sure.
Everything else works fine. I could in theory hard code my sites link into the form but I would prefer to understand and fix the issue properly.
Re: Admin login form targets HTTP instead of HTTPS
Posted: Sat Dec 10, 2016 12:01 am
by devguy
I ran debugging session. On controller there is a value:
$this->url->ssl->false
Anyone know the correct place to set it to true?
Re: Admin login form targets HTTP instead of HTTPS
Posted: Sat Dec 10, 2016 12:50 am
by devguy
I changed system/config/default.php and system/config/admin.php to site_ssl = true and now it works.
I find it weird that this is undocumented and couldn't find anything on this by googling but it seems to have done the trick.
Re: Admin login form targets HTTP instead of HTTPS
Posted: Fri Feb 10, 2017 9:13 am
by IP_CAM
I created a Listing, containing several VqMod/OcMod-Extensions, for different OC-Versions,
related to this - sometimes 'internally' not linked to HTTPS - Matter. They are untested, and
they come as they are, I cannot support anybody, because I don't use https yet!
Good Luck !
Ernie
full_site_https_xml_files.zip