Welcome to Geeklog, Anonymous Friday, November 22 2024 @ 11:48 pm EST

Geeklog Forums

Proposed patch for the use of SSL for authentication


Status: offline

jlz

Forum User
Newbie
Registered: 02/15/04
Posts: 5
I wanted my users to use SSL when authenticating, to avoid password sent clear text on the network. I realized that I could use apache redirection to have my whole site only using https, by that wasn't ideal (I guess SSL encryption penalize somewhat the performance).

Instead, I've written a patch so geeklog would use SSL when a user is authenticating, or changing his/her password. Same goes when admin change a password for a user.
Once authenticated, the site comes back to normal http://...

you can find the patch at : http://limozin.org/patch.ssl

there's a new variable in config.php : site_url_ssl. by default it is assumed that SSL is not set up, and site_url_ssl=site_url, so you need to set up manually the correct URL if your server supports SSL (i.e. https://your.site.com)

Caveat : the patch modify a few layout files, so if you use another layout than the standard 'professional', you'll need to update a few files manually. files you want to change {site_url} to {site_url_ssl} are :
admin/user/edituser.thtml
users/newpassword.thtml
users/loginform.thtml
preferences/profile.thtml
loginform.thtml
customlogin-header.thtml
 Quote

Status: offline

Benta

Forum User
Regular Poster
Registered: 03/11/05
Posts: 80
cheerful
Quote by jlz: I wanted my users to use SSL when authenticating, to avoid password sent clear text on the network. I realized that I could use apache redirection to have my whole site only using https, by that wasn't ideal (I guess SSL encryption penalize somewhat the performance).

Instead, I've written a patch so geeklog would use SSL when a user is authenticating, or changing his/her password. Same goes when admin change a password for a user.
Once authenticated, the site comes back to normal http://...

you can find the patch at : http://limozin.org/patch.ssl

there's a new variable in config.php : site_url_ssl. by default it is assumed that SSL is not set up, and site_url_ssl=site_url, so you need to set up manually the correct URL if your server supports SSL (i.e. https://your.site.com)

Caveat : the patch modify a few layout files, so if you use another layout than the standard 'professional', you'll need to update a few files manually. files you want to change {site_url} to {site_url_ssl} are :
admin/user/edituser.thtml
users/newpassword.thtml
users/loginform.thtml
preferences/profile.thtml
loginform.thtml
customlogin-header.thtml


Thanks!

Funny, I was just spending the night to monday doing the same thing. I tried it your way, but couldn't find all places to put the code, so I ended up with a much less elegant solution in the morning:

I just hardcoded {site_url} to https://mysite in the layout files that relates to login (only three of them).

I'll switch to your solution now.

A question:

I'd like to make so that all logged in users run on ssl. I checked a little on the solution provided here:
http://lists.geeklog.net/pipermail/geeklog-users/2004-February/000808.html

However, it did not work for me, because the $_SERVER["SERVER_PROTOCOL"] didn't say https even when it was https...it said HTTP1/1 o something stupid like that (can't check it now).

But...
Shouldn't there be an eas solution somehow where I put a code snipped in the same place (right after the include in lib-common.php) that checks if the user is logged in, and in that case sets site_url = site_url_ssl?

Anyone know how to write such a line?

 Quote

Status: offline

jlz

Forum User
Newbie
Registered: 02/15/04
Posts: 5
I am not really sure I understand the need to use ssl for logged-in users only! to me SSL is important for sensitive data like passwords, so I want SSL for authentication. Once authenticated, users can use plain http, as the password won't cross the wire and there's nothing sensible on my site Smile
if your site has sensitive enough data that you want to use SSL, you may as well configure it to use SSL for everything and every user, that's what I had before:
-> configure site_url to https://your.site
configure your web server to redirect all http requests to https. for example, with apache I had the following:

Text Formatted Code

<VirtualHost yourIP:80>
        DocumentRoot /path/to/document/root
        ServerName your.site
        RedirectMatch permanent (/.*) https://your.site$1
#</VirtualHost>

 
 Quote

Status: offline

Benta

Forum User
Regular Poster
Registered: 03/11/05
Posts: 80
BTW, this is really good and I think it would be nice to have it in the next version.
 Quote

jlz

Anonymous
I believe my patch was put in CVS a couple of weeks ago, so it should be in the next official release Smile
 Quote

Status: offline

vinny

Site Admin
Admin
Registered: 06/24/02
Posts: 352
Location:Colorado, USA
Encrypting only logins/authentication is useless (from a security perspective) in Geeklog. Geeklog stores the md5'd user's password in a cookie. So once logged in you pass your md5'd password on every page load. If you can intercept that (along with the other cookies) you can successfully log yourself onto Geeklog as that user (though you won't know the plain text of the password, but having the md5 you can try a password breaking program (i.e. John the Ripper) to figure it out). Encrypting just the logins and authentication adds a false sense of security without imparting any real security benefit.

If you're that worried about security on your site you should move the entire site over to https:// and just transparently redirect http:// requests to https:// and mark cookies as being required to transfer via ssl. If you really want the benefits of encrypted logins/authentication without encrypting you entire site, Geeklog will need a bigger patch than just this...

-Vinny
 Quote

All times are EST. The time is now 11:48 pm.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content