Home arrow Hacks arrow Running your Joomla Website over Secure Connection
joomla_commpow_sm.png JoomlaTips.org is not affiliated with or endorsed by the Joomla! Project or Open Source Matters. The Joomla! logo is used under a limited license granted by Open Source Matters the trademark holder in the United States and other countries.
Running your Joomla Website over Secure Connection PDF Print E-mail
User Rating: / 2

The next major release of Joomla (version 1.5) will apparently have full https support without any hacks being necessary. But what you can do if you want to run your site ower https for some reason? You must hack here and there... When whe run into this problem, the above hack wasn't published yet and we learned how to do it on our own. But after we build our own hack, I accidentally found this one, which is more solid, as the one we developed. Be aware, that nobody guarantees to work on every server configuration or Joomla installation. Enjoy the hacks - but on your own risk, we don't guarantee nothing here!

First and foremost: always make sure you are running the latest stable version of Joomla. Back everything up before you start! Take a deep breath, and jump in!

The simplest way of using Joomla with an SSL certificate is to run your entire site over https. To do this, you will need to add redirects from your http pages to the https versions (typically using a mod_rewrite rule in .htaccess), and make sure that the $mosConfig_live_site value in your configuration.php file contains your https URL.

However, the solution is not a very satisfactory, because running your site over https is noticeably slower than http. Typically, you will want the Joomla administrator to run over https, and the front-end website to run over http - perhaps switching to https when a user logs in. Joomla 1.0.x versions do not support this behaviour natively - to get it working, it is necessary to make some small hacks to certain Joomla files. Joomla 1.0.12 is the first version to support https to a given degree natively - another reason to upgrade! -, although it will not switch automatically between http and https on login, and in our experience, it tends to revert the 'live site' setting back to http, thus not serving everything over https.

Hack no. 1.: If you want to be sure that the Joomla administrator always runs over https...

... you need to apply these hacks:

In administrator/index.php, immediately after the line that says

define( '_VALID_MOS', 1);

Add the following:

//Redirect to https if accessed over http (except when running locally)
if ($_SERVER['SERVER_NAME'] != "localhost")
$port = $_SERVER["SERVER_PORT"];
$ssl_port = "443"; //Change 443 to whatever port you use for
https (443 is the default and will work in most cases)
if ($port != $ssl_port) 
$host = $_SERVER["HTTP_HOST"];
header("Location: https://$host$uri");

Also add the above code to /administrator/index2.php - immediately after the require_once directives near the start.

This forces the administrator to always use https. However, if you are using IE and find that it keeps warning you about insecure items on the page, you will have to add the code from part 1 to the end of your configuration.php file instead. Dont forget, that the code you add there will be lost whenever you save the 'Global Configuration' page in Joomla, so you will either have to re-add it after saving, or preferably make changes directly in configuration.php instead of using the Joomla 'Global Configuration' screen).

Hack no. 2.: If you want to enable the front-end to support https...

... you need the following hacks:

Since 1.0.12 it's necessary to add the following to the start of the template's index.php file (not the main Joomla index.php):

global $mosConfig_live_site;
if ($_SERVER['SERVER_PORT'] == 443)
$mosConfig_live_site = str_replace("http://", "https://", $mosConfig_live_site);

In order to avoid problems with session cookies while switching from http to https, you will need to edit a line in the includes/joomla.php file. Find the line (around line 904) that says:

return md5( 'site' . $mainframe->getCfg( 'live_site' ) );

...and replace it with the following:

if (strpos($mainframe->getCfg('live_site'), 'http://localhost') !== false) {
return md5( 'site' . $mainframe->getCfg( 'live_site' ) ); 
} else {
return md5( 'site' . str_replace("http://", "", str_replace("https://", 
"", $mainframe->getCfg( 'live_site' ))) );}

These hacks enable Joomla to be able to handle both http and https. These alone however not will cause your site to automatically switch to https. There are 2 ways to acheive this:

Hack no. 2.1. Use of the Login component

Instead of using the login module, use the login component, and link to it from a menu item of type URL - specifying https in the URL. For example, you could create a menu item that points to
- that way the entire login process is handled using https.

Hack no. 2.2. Use of the Login module

If you want to keep the login module, the login form itself will not be shown over https, however by making the following alterations, the login submission is still protected as the form will be submitted over https when the user clicks on login. In other words, it is just as secure as using Hack no.2.1, but the user will see the padlock icon just after they have logged in.

In either case, you need to make a small amendment to the login form. If you are using Hack no.2.1, the form to be altered is in the components/com_login/login.html.php file. If using Hack no.2.2, it is in modules/mod_login.php. There is nothing stopping you using both methods, in which case you will need to alter both files.

In modules/mod_login.php, look for the line that says:

<form action="<?php echo sefRelToAbs( 'index.php' ); ?>" method="post" name="login" >

Replace that line with the following:

<form action="<?php echo strpos($mainframe->getCfg('live_site'), 'http://localhost') !== false ? 
sefRelToAbs( 'index.php' ) : sefRelToAbs( str_replace('http://', 
'https://', $mosConfig_live_site) . '/index.php' ); ?>" method="post" name="login" >

If using the login module, you will also need to go into the module parameters (login to Joomla administrator, go to Modules->Site Modules, and click on the login form), and set the login url to the https:// version of the page you want users to be directed to when they log in. If you don't do this, IE will hit you with a nasty warning message when you try to log in, and you could be redirected back to http.

You can also optionally redirect to http when the user logs out by setting the logout url in the module parameters. However, IE will display a warning when redirecting to http like that. To get the site back to http when logging out without the pesky warning in IE, you need to change the logout form as well. Look for the line (nearer the start of modules/mod_login.php) that says:

<form action="<?php echo sefRelToAbs( 'index.php?option=logout' ); ?>"
method="post" name="logout">

Make sure you get the one that says 'index.php?option=logout' in the middle. Replace it with:

<form action="<?php echo sefRelToAbs( str_replace('https://', 'http://',
$mosConfig_live_site) . '/index.php?option=logout' ); ?>" method="post" name="logout">
Unfortunately, with that change made, Firefox will give a warning when you logout. As IE is still the most popular browser though (which is the unfortunate, but changing state of the facts), the above change is probably best for the majority of your visitors. But if you ask me, I wouldn't bother with this hack.

To update the login component, go to components/com_login/login.html.php, find the line (quite near the start) that says:

<form action="<?php echo sefRelToAbs( 'index.php?option=login' ); ?>" 
method="post" name="login" id="login">

Replace it with:

<form action="<?php global $mosConfig_live_site; echo strpos($mainframe->getCfg('live_site'), 
'http://localhost') !== false ? sefRelToAbs( 'index.php?option=login' ) : 
sefRelToAbs(str_replace('http://', 'https://', $mosConfig_live_site) .
'/index.php?option=login' ); ?>" method="post" name="login" id="login">

If you want to revert back to http when they log out, scroll down to the logoutpage function (near the end of the file), and find the line that says:

<form action="<?php echo sefRelToAbs( 'index.php?option=logout' ); ?>" 
method="post" name="login" id="login">

Replace it with:

<form action="<?php global $mosConfig_live_site; echo sefRelToAbs(
str_replace('https://', 'http://', $mosConfig_live_site) .
'/index.php?option=logout' ); ?>" method="post" name="login"

The hack originally was published by the Netshine Software Limited , so all kudos are going to them. Thanks, guys!

Add this page to your favorite Social Bookmarking websites
Reddit! Del.icio.us! Mixx! Free and Open Source Software News Google! Live! Facebook! StumbleUpon! Yahoo! Joomla Free PHP
plugin by VivoCiti.com
< Prev   Next >
<img src="http://pixel.quantserve.com/pixel/p-7f15GeXeJo0iE.gif" style="display: none;" border="0" height="1" width="1" alt="Quantcast" />