We use cookies to help make our site work properly and to analyze how our site is used. Some are optional, but none contain your personal information, and we don't use any for ads. You can view our cookies policy, manage your cookie preferences, or consent and dismiss this banner by clicking agree:

Agree
ExpressionEngine CMS
Open, Free, Amazing

Thread

This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.

The active forums are here.

SSL, Control Panel, and avoiding NON-SECURE ITEMS Internet Explorer warnings for Images

April 15, 2010 8:57pm

Subscribe [2]

  • #1 / Apr 15, 2010 8:57pm

    Thantos Kalev

    1 posts

    I have been searching for a good way to protect my Control Panel (CP) with SLL, but I have been stymied by the annoying IE security errors that pop up.  I found

    a few topics in regards to removing the pesky IE security error messages when using SSL to protect the Control Panel, but nothing that seemed to provide an easy

    solution.

    Using core version 1.6.8, I have done some ‘tweaking’ to wrap my Control Panel in SSL and vastly reduce the amount of “This Page contains both secure and

    non-secure items” error messages.  This “fix” does involve a tweak in 2 system files, but the tweaks are minimal.

    1) I placed an .htaccess file in my system directory.  The contents:

    #limit access to an restricted IP subnet
# good way to only allow access via a designated work network or VPN
<LIMIT GET POST>
order deny,allow
deny from all
allow from 100.200
</LIMIT>

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}


RewriteEngine on 
#remove https if not going to the administrative section
#so, if an admin clicks on an outside link in the CP, they will
#be redirected to a non-secure page 
RewriteRule !^/system/(.*) - [C]
RewriteRule ^/(.*) <a href="http://your-site-url-here/$1">http://your-site-url-here/$1</a> [QSA,L]

    I also set https in the path settings of the control panel preferences.

    2)Open up /system/cp/cp.display.php.  Look for line 363:

    $stylesheet = $this->fetch_stylesheet();

    Change to:

    $stylesheet = str_replace("http", "https", $this->fetch_stylesheet());

    This will change all of the CP background image paths in the stylesheet to https.

    3)Open up /system/core/core.system.php.  Look for line 445:

    define('PATH_CP_IMG', $PREFS->ini('theme_folder_url', 1).'cp_global_images/');

    Change to:

    $secureImagePath = str_replace("http", "https", $PREFS->ini('theme_folder_url', 1));
    define('PATH_CP_IMG', $secureImagePath.'cp_global_images/');

    This will change the CP image paths to https.

    After making these changes, the only CP page that throws the IE security error is the PUBLISH tab (the embedded Publish form appears to be the culprit).

    Although editing source code is usually frowned upon, these simple fixed worked for me.  Now, for my users, they can access the CP with increased security…And the IE users don’t have to worry about a plague of annoying IE nags.

    Ideally, it would be nice to have an option in the CP to allow an administrator to automatically force SSL/HTTPS usage…Perhaps an automated way to add ‘https’

    to the ‘theme_folder_url’ variable ($data[‘site_url’]).

    Regards,
    Thantos

.(JavaScript must be enabled to view this email address)

ExpressionEngine News!

#eecms, #events, #releases

© Packet Tide, All Rights Reserved. Legal Notices

Username

Password

Forgot password?
or Register