Forcing SSL for logins

core24

Joined: 2005-05-18
Posts: 3
Posted: Wed, 2005-05-18 01:03

I'm brand new to Gallery (it is freaking awesome by the way) and am a security guy. I've got G2 set up on both SSL and non-SSL ports. However, the SSL version does not make use of an HTTPS URL for the login form. So, I want to do two things:

1) Make the Gallery SSL version utilize the HTTPS URL for the login form (and for any URLs I would imagine). The code for the main login form seems to be in modules/core/templates/LoginSystemContent.tpl and uses the Gallery internal smarty variable {g->url}. Is there a bug that may be causing this variable to be set with HTTP rather than HTTPS?

2) Make the Gallery non-SSL version utilize HTTPS URLs for any login forms so that guests can browse without SSL, but admins and album administrators can utilize HTTPS for their login session.

Any pointers would be appreciated!

-Jason

 
drhiii

Joined: 2003-04-27
Posts: 397
Posted: Wed, 2005-05-18 07:47

Also being a security guy, this would be a good thing. SSL for at least admins.

Ideas anyone?

 
valiant

Joined: 2003-01-04
Posts: 32509
Posted: Wed, 2005-05-18 10:26

The UserLogin.inc controller could check if the protocol used to login is https or not. And if not, it could gracefully fail / redirect to a ssl page.

 
bharat
bharat's picture

Joined: 2002-05-21
Posts: 7994
Posted: Thu, 2005-05-19 04:39

If you really want to be secure, you need to use HTTPS for the lifetime of your G2 session, not just for the login page. Otherwise, even though your password is sent via SSL, your cookie isn't and somebody snooping will be able to steal your session.

If you use the HTTPS url to G2, I believe that all further urls will be in HTTPS also so theoretically you can enable security just by controlling your own URL. Otherwise, you could add a core parameter in modules/core/AdminCore.inc to require that the login page be SSL and then do the redirect as valiant suggests.

 
core24

Joined: 2005-05-18
Posts: 3
Posted: Sat, 2005-05-21 20:00

Certainly understand the need to secure the session data as well as login and password. The ideal solution would ensure SSL for any authenticated user.

As for the comment from bharat "theoretically you can enable security just by controlling your own URL", practice is not living up to the theory. Like I said in my initial post, the {g->url} value does not contain HTTPS even when the whole Apache virtualhost I'm using to access gallerys is SSL-enabled.

Perhaps there is an issue with the rewrite module that is rewriting the base URL to be HTTP only? I'll try disabling this module and see if anything changes.... Okay, I did just that and did indeed find that it is the URL Rewrite module that is forcing the relative URLs to be HTTP and not HTTPS. Somehow it is modifying {g->url} in a bad way that is not protocol-agnostic. Will need more investigation. I do have a dual HTTP/HTTPS instance so URL Rewrite must not be advanced enough to handle this.

Seems like if this were to be fixed, it would address one of the issues. Then the remaining item would be to modify the right files to force the login form targets at least to be HTTPS. Probably will need more research to see how to keep the whole authenticated user session on the HTTPS instance.

 
bharat
bharat's picture

Joined: 2002-05-21
Posts: 7994
Posted: Tue, 2005-06-07 03:21

This is a bug in the url generator. It should properly maintain https for you. Can you please file a bug against this? Thanks!

 
mikeyb

Joined: 2005-08-15
Posts: 1
Posted: Mon, 2005-08-15 23:05

I am very much interested in implementing some of the things talked about in this post.

It seems the two files that need patching in order to redirect the non-ssl login page to an ssl one... modules/core/AdminCore.inc and modules/core/UserLogin.inc

bharat said that AdminCore.inc would need to have a core paramter added that would require the login page to be ssl...

then i guess the actual redirect to the ssl page would take place in UserLogin.inc

Do I have this right?

Anyway, I am not very experienced with php and would appreciate any help/direction that anyone could provide. I would really like to get it working this way before i make my gallery2 install internet facing.

thanks for any help

 
skion

Joined: 2005-09-19
Posts: 1
Posted: Mon, 2005-09-19 13:01

I'm using https for the multisites, and http for the codebase. Would that be secure aswell?

 
valiant

Joined: 2003-01-04
Posts: 32509
Posted: Mon, 2005-09-19 13:16

the question is how you access G2. and obviously you access your multisites with https, hence it's secure (it's using SSL).

 
jack118

Joined: 2007-10-02
Posts: 3
Posted: Tue, 2007-10-02 19:29

I would like to force all Gallery2 pages through SSL. I have tested with Firefox and IE 6 & 7 the URL redirect and if you enter via HTTPS, it will stay HTTPS for the remainder of the session.

Gallery2 will respond to HTTP correctly with Firefox & IE 6 & 7. If someone tries HTTP, I would like to to automatically say "Please use HTTPS...you will be redirected in 5 secs" etc.

It looks like there were several options mentioned above to force SSL. Has anyone requested an enhancement "check box" on the admin page that would 'require SSL'?

In the meantime, what is the best way to force all traffic via SSL?

1) modify AdminCore.inc and UserLogin.inc? If so, how would I modify these to modules correctly? Sorry but I'm a hardware guru, not a coding guru...thx for your patience
2) /Gallery2/.htaccess redirect? This looks possible...is that the case?
3) In config.php, there is the URL override. $gallery->setConfig('baseUri', 'https://example.com:8080/gallery2/index.php'); Will this force SSL connections?
4) HTML META redirect via a different "link-to" page in front of the /Gallery2/main.php. This only abstracts the SSL issue away from user but doesn't really force SSL for any connection.

Any thoughts and thank you in advance for your comments!

 
jack118

Joined: 2007-10-02
Posts: 3
Posted: Tue, 2007-10-02 20:13

In the config.php, I tried setting the baseUri to https://example.com:8080/gallery2/index.php and was getting a strange error where after authenticating, it would take me back to the login page. I found a different thread that talked about setting this to https://example.com:8080/gallery2/main.php and it now logs me in correctly. This seems to force SSL in that I now can't login with HTTP because it redirects to HTTPS.

Am I safe to assume that the baseUri redirect will always force the use of SSL?

 
mbeazley

Joined: 2008-05-12
Posts: 15
Posted: Sat, 2009-03-21 14:39

jack118's simple solution worked great for me. Thanks!!!

 
TopQuark

Joined: 2009-06-14
Posts: 1
Posted: Sun, 2009-06-14 20:57

You can force logged-in users to use HTTPS (and guest users to use HTTP) by looking for the login cookie using mod_rewrite in Apache.

In your HTTP VirtualHost, put:
RewriteEngine On
RewriteCond %{HTTP_COOKIE} ^GALLERYSID= [OR]
RewriteCond %{QUERY_STRING} subView=core\.UserLogin
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [NE,R,L]

In your HTTPS VirtualHost, put:
RewriteEngine On
RewriteCond %{HTTP_COOKIE} =""
RewriteCond %{REQUEST_METHOD} =GET
RewriteCond %{QUERY_STRING} !subView=core\.UserLogin
RewriteRule ^ http://%{HTTP_HOST}%{REQUEST_URI} [NE,R,L]

Then, unset baseUri in config.php (to keep Gallery from trying to redirect users to either HTTP or HTTPS):
$gallery->setConfig('baseUri', '');

 
scaturan
scaturan's picture

Joined: 2004-09-12
Posts: 1153
Posted: Wed, 2010-09-29 08:00

thanks to this thread, I was able to secure a multisite and codebase that were running on separate subdomains (same parent domain) pointing the same IP address:

ingredients:

Apache 2.2.16
Gallery 2.3.1

http://basho.buriguri.jp/blog/secure-photo-sharing-gallery-2-multisite

___________________________________________________
http://pixi.me/