Forums | Mahara Community

Support /
SSL / HTTPS


anonymous profile picture
Account deleted
Posts: 91

11 March 2009, 13:10

Some of you may find this useful if you want to use SSL / HTTPS:


If you protect the entire site using HTTPS IE starts issuing warnings about "secure and non secure items on the page" as soon as someone links to an off site non https resource


If you protect just the login page with HTTPS using Apache config you get the same warnings, as the style sheets etc are all referenced  as HTTP

You can get around the above problem by modifying config.php:

if ($_SERVER["REQUEST_URI"] == "/"){
    $cfg->wwwroot = 'https://mahara.org/';
} else {
    $cfg->wwwroot = 'http://mahara.org/';
}

So, if we are looking at the home page the wwwroot is https and therefore all links to style sheets coming off it are also https... thus no more nagging from IE.

The problem is that once logged in all the links are pointing to an https page, so, the next page you load, for example /group/mygroups.php will also be opened as HTTPS, and it is not until you click a link on that second page that you break back into HTTP... so... IE starts nagging you here instead...

So, in Apache (someone wiser than I) added the following:

First, set the home page to SSL / HTTPS:

RewriteEngine on
RewriteRule ^/$ https://%{SERVER_NAME}/ [R,L]

Secondly, in the SSL part of the config, this was added to force any pages that were not home to revert to HTTP:

RewriteEngine on
RewriteRule ^/(.+)$ http://%{SERVER_NAME}/$1 [R,L]

So... we finally managed to protect just the login routine without IE nagging us about secure / non secure items on the page...

Regards, Jez

anonymous profile picture
Account deleted
Posts: 1643

11 March 2009, 18:11

Hi - I think I might have pointed this out before, but that doesn't protect the 'session timed out please log in again' page Wink

anonymous profile picture
Account deleted
Posts: 91

11 March 2009, 20:37

Well, lets just say I have not seen you point that out before Laughing

In fact, i have never seen the session timeout, what is the URL it referst to?

Thanks, Jez

anonymous profile picture
Account deleted
Posts: 1643

11 March 2009, 22:19

The session timeout login page can be shown at any URL, it's a 'transient' page in that respect.

If you set the session_timeout in the database down to, say '5' (5 seconds), then log out and in again, you'll see what I mean.

I think a true login-over-SSL solution is going to require a patch to Mahara, although if you never have session timeouts then you can get away with using apache rewrites.

Iñaki Arenaza's profile picture
Posts: 253

12 March 2009, 3:45

I started a patch several weeks ago, but work load and procrastination in my spare time have stalled it Embarassed

I'll try to bump it during the easter holiday.

Iñaki.

anonymous profile picture
Account deleted
Posts: 91

12 March 2009, 7:49

Yes it definitely need a patch then Smile

The rewrites will have to do until Inaki finishes his work.

Thanks very much for producing this patch... it really is a bad plan to send LDAP SSO passwords in plain text... particularly if you have for example someone with access to finance systems logging Mahara.... which is quite conceivable.

Iñaki Arenaza's profile picture
Posts: 253

29 March 2009, 12:02

It's been and interesting exercise (though Nigel helped me a bit, putting me in the right track Cool), but here are the patches (for 1.0.x, 1.1.x and master).

They use a new optional setting ($cfg->httpswwwroot) and should deal with transient logins (session timeouts) just fine.

The only thing that's missing (afaict) is protecting the password change page (account settings page). Things get complicated with the javascript interaction between encrypted and non-encrypted traffic and I don't master javascript/json/etc. at all, so I've given up by now Embarassed. The patches are available at

If somebody could test them and verify that I didn't miss anything obvious, maybe they could be added to core.

Saludos. Iñaki.

anonymous profile picture
Account deleted
Posts: 1643

29 March 2009, 16:47

I typed out a reply to this, but my laptop battery died Cry

Next time you're on irc, we can talk about it. Smile

One note now though - I don't know whether we've actually announced this anywhere, but we're only doing security updates for 1.0.X now. It's still supported for security issues and major regressions for a while, but we won't be putting any new features in to it.

Iñaki Arenaza's profile picture
Posts: 253

29 March 2009, 17:43

Regarding the 'no new features in 1.0.x', it's OK with me. Backporting the patch from master was a 30 seconds work with git (git cherry-pick master-commit-hash), so I did it just in case someone with a 1.0.x setup is insterested in it.

Keeping the patch updated when security fixes are made is a zero-effort task  with git, so if there is demand for it, I could maintain it Wink

Iñaki.

anonymous profile picture
Account deleted
Posts: 27

18 August 2009, 7:14

Thanks for writing this patch. I need SSL login because we're using LDAP with Mahara and therefore potentially exposing login details for various applications we run. Is there any decision yet whether this will be included in core?

25 results