Welcome to Geeklog, Anonymous Friday, March 29 2024 @ 03:14 am EDT

Geeklog Forums

SSL Integration


Status: offline

jhackwith

Forum User
Chatty
Registered: 07/24/04
Posts: 63
Location:Lewiston, Idaho
One of the features requested several times by my clients for Geeklog is intelligent SSL integration. Shopping cart systems like OSCommerce or Zen-Cart are set up in such a way that the system automatically connects to the secure server when the client is logging in, changing their account options, checking out, or doing anything else where private information may possibly be intercepted.

Zen-Cart, for example, gets this information from configure.php, as follows:

Text Formatted Code

// Define the webserver and path parameters
  // HTTP_SERVER is your Main webserver: eg, http://www.yourdomain.com
  // HTTPS_SERVER is your Secure webserver: eg, https://www.yourdomain.com
  define('HTTP_SERVER', 'http://www.yourdomain.com');
  define('HTTPS_SERVER', 'https://www.yourdomain.com');

  // Use secure webserver for checkout procedure?
  define('ENABLE_SSL', 'true');

// NOTE: be sure to leave the trailing '/' at the end of these lines if you make changes!
// * DIR_WS_* = Webserver directories (virtual/URL)
  // these paths are relative to top of your webspace ... (ie: under the public_html or httpdocs folder)
  define('DIR_WS_CATALOG', '/');
  define('DIR_WS_HTTPS_CATALOG', '/');

 


We would like to submit a feature request for base-level SSL integration, enabled or disabled within config.php, that allows the Geeklog developer to configure Geeklog for their SSL server.

To do this right, I think that the following features should be included:

1. If SSL is enabled, all admin features (including admin screens for plugins if they support it) should be loaded via https://.

2. If SSL is enabled, the "My Account" section and any relevant sections under User Functions would be loaded via https://.

3. If SSL is enabled, any submission activity (articles, links, static pages, or any other content submission enabled by plugins) would be loaded via https://. This would prevent possible interception of private data when content is submitted.

4. A change in the plugin API so that plugins can be intelligently notified of SSL status. In other words, plugins could check if SSL is enabled and provide an option for content to be loaded via https://. For example, the Static Pages plugin could check to see if SSL is enabled and give an option in the Static Page Editor for enabling or disabling SSL for that page. When the page is loaded, Static Pages could automatically load it via https://.

Please let me know what you think about this idea. I'm certain I'm not the first to suggest it, though I haven't been able to find anything on geeklog.net about this specifically.

Thanks,
Jason Hackwith
Firewind Productions
"Beauty... is the shadow of God on the universe." ~ Gabriela Mistral -- Desolacíon
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Are you aware that you can simply run all of Geeklog via https by

1) using a https://... url in $_CONF['site_url'] and
2) setting $_CONF['cookiesecure'] = 1

Using both http and https URLs on the same Geeklog site has some issues, e.g. with cookies.

Related topic: Proposed patch for the use of SSL for authentication (specifically Vinny's post).

bye, Dirk
 Quote

Status: offline

jhackwith

Forum User
Chatty
Registered: 07/24/04
Posts: 63
Location:Lewiston, Idaho
Quote by Dirk: Are you aware that you can simply run all of Geeklog via https by

1) using a https://... url in $_CONF['site_url'] and
2) setting $_CONF['cookiesecure'] = 1

Using both http and https URLs on the same Geeklog site has some issues, e.g. with cookies.

Related topic: Proposed patch for the use of SSL for authentication (specifically Vinny's post).

bye, Dirk


I'm aware of that feature but that's not the issue. Running an entire site via SSL is a computationally expensive process in terms of both server and browser performance, especially where higher bandwidth is concerned. There is absolutely no reason to run an entire site in SSL. Larger sites with healthy user activity are going to see a notable decrease in performance.

I recommend Geeklog to my clients because of its scalability and robust user security features, but for possible end-uses like customer relationship management (CRM) or high-privacy applications like medical data, SSL is absolutely necessary. There is no reason that Geeklog users should have to sacrifice performance for security, or vice versa.

I used Zen-Cart as an example because it handles cookies extremely well across both SSL and regular http://. Certainly an adaptation of existing open-source code is more feasible than reinventing the wheel?

In any case, I strongly urge the Geeklog developer base to consider this as a feature.
"Beauty... is the shadow of God on the universe." ~ Gabriela Mistral -- Desolacíon
 Quote

All times are EDT. The time is now 03:14 am.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content