Logging to Admin auto redirect to HTTP from HTTPS

[sbordun]

HI,

 

The following bug was found on Prestashop 1.7.2.2.

 

Conditions:

1) installed the self-signed SSL on my test server

2) Admin Portal settings "Enable SSL = YES" and "Enable SSL on all pages=NO".

 

When I open the Admin Login page as HTTPS and login into it, the prestashop successfully login me, but openes the Dashboard as HTTP. The dashboard supposed to be opened as HTTPS!

 

I have Prestashop 1.6 installed on the same server and do not have this logging issue.

 

Please help me.

 

Thanks,

   

[Scully]

Use .htaccess to force all to SSL - as simple solution. Or analyze the dashboard functions which leads to the Non-SSL request.

The following rule should work for all domains since it does not contain a fixed name for domains.

#### SCULLYS REDIRECT TO SSL, FORCE EVERYTHING! ####
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}/$1 [L,R=301]
#### DONE! ####

[vekia]

if you change address to https it still redirects to http ?

[sbordun]

if you change address to https it still redirects to http ?

 

 

Yes, if I change the Admin login URL to https manually it is still redirects to http after successful login.

To be 100% sure, I just downloaded the latest 1.7.2.2 prestashop and installed it. In Admin I enabled SSL.  The issue is still persist.

 

The issue could be resolved only by setting the "Enable SSL on all pages" to "YES". But I do not want to enforce Front-End to work with HTTPS.

I need Front-End to work as HTTP, but Back-End to work as HTTPS.

 

 

I could give you an access to my back-end for your investigation. And limited SSH access to my test server.

How could I privately do it?

 

Thanks

[sbordun]

 

Use .htaccess to force all to SSL - as simple solution. Or analyze the dashboard functions which leads to the Non-SSL request.

The following rule should work for all domains since it does not contain a fixed name for domains.

#### SCULLYS REDIRECT TO SSL, FORCE EVERYTHING! ####
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}/$1 [L,R=301]
#### DONE! ####

 

your settings redirect all pages, even Front-End.  

I played with different once to redirect back-End.  

 

RewriteEngine On

RewriteCond %{HTTP_HOST} !MYHOST_HIDDEN

RewriteRule (.*) [L]

RewriteCond %{HTTPS} !=on

RewriteCond %{REQUEST_METHOD} !^POST$

 

And it partially helped.  With the except that Admin uses POST sometimes and any POST request (update/insert/delete) failed.

I believe that I found a bug, 

Edited September 4, 2017 by sbordun (see edit history)

[Scully]

But I do not want to enforce Front-End to work with HTTPS. I need Front-End to work as HTTP, but Back-End to work as HTTPS.

 

I cannot imagine a situation where this would make sense. Not using SSL will become more and more a problem due to browser warnings poping up. It think we are not very far away from a point where browsers will no longer accept HTTP only when it comes to forms or login procedures.

Edited September 4, 2017 by Scully (see edit history)

[sbordun]

I cannot imagine a situation where this would make sense. Not using SSL will become more and more a problem due to browser warnings poping up. It think we are not very far away from a point where browsers will no longer accept HTTP only when it comes to forms or login procedures.

What about most common scenario when guest just navigates through products in the front-end . it  is doesn't require SSL, simple HTTP is enough.  Once the guest decided to go to checkout page, then it is time for SSL.  

 

Is it a Prestashop 1.7.2.2 bug when starting logging with SSL on admin page redirects to HTTP ? 

If it is NOT a bug, then why the Prestashop admin allows me to configure the following parameters? 

"Enable SSL = YES" and "Enable SSL on all pages=NO"

 

Thanks

[bellini13]

"Enable SSL = YES" and "Enable SSL on all pages=NO"

 

Using these 2 options does exactly what you want it to...

 

What about most common scenario when guest just navigates through products in the front-end . it  is doesn't require SSL, simple HTTP is enough.  Once the guest decided to go to checkout page, then it is time for SSL.

However I would be more concerned about the usage of a self-signed SSL certificate.  No customer in their right mind would trust it...

[sbordun]

Using these 2 options does exactly what you want it to...

 

However I would be more concerned about the usage of a self-signed SSL certificate.  No customer in their right mind would trust it...

I am in the development phase and using Self-signed certificate on DEV server

[bellini13]

ok, so is this issue resolved, or is there still a problem?

[sbordun]

ok, so is this issue resolved, or is there still a problem?

 

Why Prestashop has two parameters if it is impossible to use them since the admin login always redirects to HTTP from HTTPS if configure parameters like this : "Enable SSL = YES" and "Enable SSL on all pages=NO"? 

 

Is it not easier for Presta DEV team to remove the second parameter and leave the only one "SSL Enable" parameter to enable SSL on all pages instead of introducing bug and mislead users  who worked with Prestashop v1.5 and v1.6 and remember how these parameters work without redirection?

 

Thanks 

Edited September 7, 2017 by sbordun (see edit history)

[bellini13]

The back office does not redirect from HTTPS to HTTP, if yours does then you have added some customized redirect rule or code.  I just proved this by disabling SSL in my prestashop back office, and then trying to access the back office.  Even though SSL is disabled in my store, I can still navigate to my back office using HTTPS, and i do not get redirected to HTTP.

 

Note: The 2 options are there by design to offer greater flexibility, you are not the only user of Prestashop, and there are many reasons to have both options available.

[sbordun]

The back office does not redirect from HTTPS to HTTP, if yours does then you have added some customized redirect rule or code.  I just proved this by disabling SSL in my prestashop back office, and then trying to access the back office.  Even though SSL is disabled in my store, I can still navigate to my back office using HTTPS, and i do not get redirected to HTTP.

 

Note: The 2 options are there by design to offer greater flexibility, you are not the only user of Prestashop, and there are many reasons to have both options available.

Could you do the following test steps in your 1.7 prestashop please?

1)  Make sure that you have this parameters set up like this:   "Enable SSL = YES" and "Enable SSL on all pages=NO"

2) Log off from Admin

3) go to HTTPS login Admin page and login

In my case the next page (admin Dashboard) was opened as HTTP!   How about your dashboard ?

 

Thanks

Edited September 8, 2017 by sbordun (see edit history)

[bellini13]

works properly for me.  It does not redirect me to HTTP

[sct]

On 08/09/2017 at 1:12 PM, bellini13 said:

The back office does not redirect from HTTPS to HTTP, if yours does then you have added some customized redirect rule or code.  I just proved this by disabling SSL in my prestashop back office, and then trying to access the back office.  Even though SSL is disabled in my store, I can still navigate to my back office using HTTPS, and i do not get redirected to HTTP.

 

Note: The 2 options are there by design to offer greater flexibility, you are not the only user of Prestashop, and there are many reasons to have both options available.

It doesn't offer ANY flexibility if it doesn't work. I have the same problem on a fresh install of 1.7. The only way I can get the back end to hold https on a jump is if I set SSL to off. It seems that the only way to enable SSL in the back end is to disable it on the front completely by turning it off.

Edited November 19, 2017 by sct (see edit history)

[sct]

On 08/09/2017 at 4:09 PM, sbordun said:

Could you do the following test steps in your 1.7 prestashop please?

1)  Make sure that you have this parameters set up like this:   "Enable SSL = YES" and "Enable SSL on all pages=NO"

2) Log off from Admin

3) go to HTTPS login Admin page and login

In my case the next page (admin Dashboard) was opened as HTTP!   How about your dashboard ?

 

Thanks

Are you running in a subdirectory off root or in the root?

[bellini13]

2 hours ago, sct said:

It doesn't offer ANY flexibility if it doesn't work. I have the same problem on a fresh install of 1.7. The only way I can get the back end to hold https on a jump is if I set SSL to off. It seems that the only way to enable SSL in the back end is to disable it on the front completely by turning it off.

It does offer flexibility and it does work, as I stated I tested this.

It may not work for you and your store, and I won't bother to guess as to what exact version of prestashop you are using or what modules or customization's you may have made that could contribute to you having a different experience.

[sct]

8 hours ago, bellini13 said:

It does offer flexibility and it does work, as I stated I tested this.

It may not work for you and your store, and I won't bother to guess as to what exact version of prestashop you are using or what modules or customization's you may have made that could contribute to you having a different experience.

Well, it's a completely fresh installation of 1.7.2.4 in a sub-directory off root on a server that meets all the requirements with 30 products added. There are no non-prestashop modules installed. SSL certificate is from Comodo. 

[bellini13]

and do you use nginx or apache.  did you review the rewrite rules (depending on your webserver) in both your root folder and the subfolder to ensure there are no unexpected redirect rules in them that is doing this?

every demo store I have for PS v1.7 is within a subfolder, and are completely un-custom installs.  I am not redirected to http on any part of the site.

Edited November 20, 2017 by bellini13 (see edit history)

[sct]

On 20/11/2017 at 0:27 PM, bellini13 said:

and do you use nginx or apache.  did you review the rewrite rules (depending on your webserver) in both your root folder and the subfolder to ensure there are no unexpected redirect rules in them that is doing this?

every demo store I have for PS v1.7 is within a subfolder, and are completely un-custom installs.  I am not redirected to http on any part of the site.

Apache. There are no unexpected rewrite rules that I can see

[sct]

Installation has been moved to root and the same thing is happening. In fact here's the content of my .htaccess

=======

# ~~start~~ Do not remove this comment, Prestashop will keep automatically the code outside this comment when .htaccess will be generated again
# .htaccess automaticaly generated by PrestaShop e-commerce open-source solution
# http://www.prestashop.com - http://www.prestashop.com/forums

<IfModule mod_rewrite.c>
<IfModule mod_env.c>
SetEnv HTTP_MOD_REWRITE On
</IfModule>

RewriteEngine on


#Domain: XXX.XXXXXXXXX.XXX
RewriteRule . - [E=REWRITEBASE:/]
RewriteRule ^api$ api/ [L]

RewriteRule ^api/(.*)$ %{ENV:REWRITEBASE}webservice/dispatcher.php?url=$1 [QSA,L]

# Images
RewriteRule ^([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ %{ENV:REWRITEBASE}img/p/$1/$1$2$3.jpg [L]
RewriteRule ^([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ %{ENV:REWRITEBASE}img/p/$1/$2/$1$2$3$4.jpg [L]
RewriteRule ^([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ %{ENV:REWRITEBASE}img/p/$1/$2/$3/$1$2$3$4$5.jpg [L]
RewriteRule ^([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ %{ENV:REWRITEBASE}img/p/$1/$2/$3/$4/$1$2$3$4$5$6.jpg [L]
RewriteRule ^([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ %{ENV:REWRITEBASE}img/p/$1/$2/$3/$4/$5/$1$2$3$4$5$6$7.jpg [L]
RewriteRule ^([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ %{ENV:REWRITEBASE}img/p/$1/$2/$3/$4/$5/$6/$1$2$3$4$5$6$7$8.jpg [L]
RewriteRule ^([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ %{ENV:REWRITEBASE}img/p/$1/$2/$3/$4/$5/$6/$7/$1$2$3$4$5$6$7$8$9.jpg [L]
RewriteRule ^([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ %{ENV:REWRITEBASE}img/p/$1/$2/$3/$4/$5/$6/$7/$8/$1$2$3$4$5$6$7$8$9$10.jpg [L]
RewriteRule ^c/([0-9]+)(\-[\.*_a-zA-Z0-9-]*)(-[0-9]+)?/.+\.jpg$ %{ENV:REWRITEBASE}img/c/$1$2$3.jpg [L]
RewriteRule ^c/([a-zA-Z_-]+)(-[0-9]+)?/.+\.jpg$ %{ENV:REWRITEBASE}img/c/$1$2.jpg [L]
# AlphaImageLoader for IE and fancybox
RewriteRule ^images_ie/?([^/]+)\.(jpe?g|png|gif)$ js/jquery/plugins/fancybox/images/$1.$2 [L]

# Dispatcher
RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.*$ - [NC,L]
RewriteRule ^.*$ %{ENV:REWRITEBASE}index.php [NC,L]
</IfModule>

AddType application/vnd.ms-fontobject .eot
AddType font/ttf .ttf
AddType font/otf .otf
AddType application/font-woff .woff
AddType font/woff2 .woff2
<IfModule mod_headers.c>
	<FilesMatch "\.(ttf|ttc|otf|eot|woff|woff2|svg)$">
		Header set Access-Control-Allow-Origin "*"
	</FilesMatch>
</IfModule>

<IfModule mod_expires.c>
	ExpiresActive On
	ExpiresByType image/gif "access plus 1 month"
	ExpiresByType image/jpeg "access plus 1 month"
	ExpiresByType image/png "access plus 1 month"
	ExpiresByType text/css "access plus 1 week"
	ExpiresByType text/javascript "access plus 1 week"
	ExpiresByType application/javascript "access plus 1 week"
	ExpiresByType application/x-javascript "access plus 1 week"
	ExpiresByType image/x-icon "access plus 1 year"
	ExpiresByType image/svg+xml "access plus 1 year"
	ExpiresByType image/vnd.microsoft.icon "access plus 1 year"
	ExpiresByType application/font-woff "access plus 1 year"
	ExpiresByType application/x-font-woff "access plus 1 year"
	ExpiresByType font/woff2 "access plus 1 year"
	ExpiresByType application/vnd.ms-fontobject "access plus 1 year"
	ExpiresByType font/opentype "access plus 1 year"
	ExpiresByType font/ttf "access plus 1 year"
	ExpiresByType font/otf "access plus 1 year"
	ExpiresByType application/x-font-ttf "access plus 1 year"
	ExpiresByType application/x-font-otf "access plus 1 year"
</IfModule>

<IfModule mod_headers.c>
    Header unset Etag
</IfModule>
FileETag none
<IfModule mod_deflate.c>
    <IfModule mod_filter.c>
        AddOutputFilterByType DEFLATE text/html text/css text/javascript application/javascript application/x-javascript font/ttf application/x-font-ttf font/otf application/x-font-otf font/opentype image/svg+xml
    </IfModule>
</IfModule>

#If rewrite mod isn't enabled
ErrorDocument 404 /index.php?controller=404

# ~~end~~ Do not remove this comment, Prestashop will keep automatically the code outside this comment when .htaccess will be generated again