In another thread D3453 had been asking about encrypting log-in forms, and since I had recently been doing the same thing I figured I’d post this plug-in.

All it does is check whether the server is using https - if it’s not, it will redirect you to the same page but use https.

Just add {exp:lockdown} to any templates you want to encrypt.

Thanks Brian for the plug-in.  I am having a bit of trouble getting it to work though.  It redirects to https but the page won’t load.  The first problem was with throttling.  So I disabled it and now I get an error page that says:

The page isn’t redirecting properly

Firefox has detected that the server is redirecting the request for this address in a way that will never complete.

  *  This problem can sometimes be caused by disabling or refusing to accept
      cookies.

My site uses cookies so I don’t understand this error.  Any ideas?  Did you have this problem?  Thanks so much for your time.
Dave

D3453 - 24 April 2007 11:41 AM

Thanks Brian for the plug-in.  I am having a bit of trouble getting it to work though.  It redirects to https but the page won’t load.  The first problem was with throttling.  So I disabled it and now I get an error page that says:

The page isn’t redirecting properly

Firefox has detected that the server is redirecting the request for this address in a way that will never complete.

  *  This problem can sometimes be caused by disabling or refusing to accept
      cookies.

My site uses cookies so I don’t understand this error.  Any ideas?  Did you have this problem?  Thanks so much for your time.
Dave

Hi Dave - I’m pretty sure I know what’s happening. Who is your host? The plug-in uses a server variable called ‘HTTPS’ (of all things), but I’ve found out that not all server setups actually honor this variable. I think it has to do with server clustering.

Can you take the attached file (unzip it), upload it to your server and then point a browser to it using https? Let me know what it says. Unfortunately if your server doesn’t support the HTTPS variable there isn’t a really good way of doing this.  I have a client on EngineHosting and they were kind enough to enable it for us, but I doubt many shared hosting environments will be as helpful.

Hi Brian, I am in a server cluster and the response was https response:  What do I need to do to enable this?  Thanks so much

I’m not sure what Nevyn and co. did to enable this, but they did enable it.  You should get in touch with your host and ask them if it is possible to enable the $_SERVER[‘HTTPS’] response as you’re trying to use it to encrypt parts of your website.

Without that there’s really no way this plug-in can work unfortunately. I searched for other ways to get it accomplished (and asked the advice of EngineHosting) but as strange as it is there really wasn’t a way around it that we could find.

Sorry Dave.

My host said they will make the changes.  As soon as they do, I will check to see if it works with login forms.  Thanks for the great script.

It’s even better when it works! 

Hi once again,
I am still getting errors with the script.  First I still have to disable throttling.  Second I get the following error:

Notice: Undefined index: HTTPS in /www/{removed}/public_html/system/plugins/pi.lockdown.php on line 17

Warning: Cannot modify header information - headers already sent by (output started at /www/{removed}/public_html/system/plugins/pi.lockdown.php:17) in /www/{removed}/public_html/system/core/core.functions.php on line 296

.

I have asked my host to update the settings and they said they will.  Does this mean they have not done that yet, it has been a couple of days?
Thanks

Note: moderator edited to remove user account information.

D3453 - 26 April 2007 12:37 PM

Hi once again,
I am still getting errors with the script.  First I still have to disable throttling.  Second I get the following error:

Notice: Undefined index: HTTPS in /www/{removed}/public_html/system/plugins/pi.lockdown.php on line 17

Warning: Cannot modify header information - headers already sent by (output started at /www/{removed}/public_html/system/plugins/pi.lockdown.php:17) in /www/{removed}/public_html/system/core/core.functions.php on line 296

.

I have asked my host to update the settings and they said they will.  Does this mean they have not done that yet, it has been a couple of days?
Thanks

Hi Dave - sorry about that. I was running with error reporting off and didn’t notice the index notice.  I’ve fixed that, and uploaded version 1.0.1.  Let me know how that works for you - if they haven’t made the change it’s going to loop until it throws a fault (Firefox will alert you with that same redirection notice).

Hi Brian,
Your script works great now.  Many thanks. 

But unfortunately, for the login script, it gets redirected back to index.php with http.  My login form still submits unencrypted even though the form is sent to the user encrypted.  Do you use this script for login’s also? 

Many thanks for the plug-in.
Dave

D3453 - 27 April 2007 10:59 AM

Hi Brian,
Your script works great now.  Many thanks. 

But unfortunately, for the login script, it gets redirected back to index.php with http.  My login form still submits unencrypted even though the form is sent to the user encrypted.  Do you use this script for login’s also? 

Many thanks for the plug-in.
Dave

I don’t use it for log-ins actually (or haven’t).  To modify that behavior I think you’d have to manually build a log-in form and use https in the action.

This is fantastic - Thanks for sharing!

on the login form - i get a pop up on submit

Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party.

Are you sure you want to continue sending this information?

Any hints on what I missed?

thanks!

If you’re using a dynamically generated log-in form (EE makes the form), then it is trying to submit the form to http instead of https.  This plug-in doesn’t affect how EE makes the log-in form itself.  To do log-in, you’ll need to manually generate the log-in form and give it an action of https, instead of http…

At least that’s what I’m assuming is going on.  If you look at the HTML source of your log-in page, does the form action say http or https?

Brian M. - 17 December 2009 12:28 PM

To do log-in, you’ll need to manually generate the log-in form and give it an action of https, instead of http…

Ok - I was wondering if that was the case…

What about all the other VARS?