WordPress.org

Forums

WordPress HTTPS (SSL)
[Plugin: WordPress HTTPS] admin bar disappears when visiting site (13 posts)

  1. Bart
    Member
    Posted 3 years ago #

    Hi,

    Thanks for this great plugin! It solves the problem of using SSL for the admin panel / dashboard when using a CDN that doesn't support SSL

    After having configured the plugin (and locking myself out of the dashboard, my bad ;-) I got it working well.

    Normal site visitors via mydomain.com
    Admin via ssl.mydomain.com

    However when I am in the dashboard and click "visit site" (and preview page links) in the admin bar WP switches to the site from ssl.mydomain.com to mydomain.com and I lose the admin bar. (I enabled it in my user profiles for both site and dashboard)

    I quickly figured out that this is because I am loged-in via ssl.mydomain.com and have no (not secure) login cookies for mydomain.com so no admin bar.

    I like the admin bar very much, it speeds up working in WordPress and I really would like to have it back while using WordPress HTTPS plugin in shared SSL modus.

    The solution to this would be to have a extra option in WordPress HTTPS plugin that, when switched on, also rewrites all the "normal site links" when showing the dashboard from mydomain.com to ssl.mydomain.com

    This way you actually stay on the ssl.domain.com domain and (the not secure) logon cookie still works. You can test this by going to http://ssl.mydomain.com and the admin bar will show. (if enabled in user profile)

    As an important extra for using ssl.mydomain.com I have the option to test my site bypassing the CDN, which is really needed, cause the CDN has a caching time and "visit site will show my "old" by teh DDN cached site without the recent updates I made.

    I hope this description is clear and you are willing to implement this extra option in the plugin. It will make WordPress HTTPS even more powerful!

    Cheers, Bart

  2. Mike Ems
    Member
    Plugin Author

    Posted 3 years ago #

    Hey mcBart,

    Rewriting the URL's would not be reliable since the Force SSL Exclusively option would interfere with it. However, I'm currently working on the next version that will log you into the Shared SSL admin panel as well as the regular HTTP admin panel simultaneously. This will allow you to be logged in as an admin on both HTTP and HTTPS pages, even when using Shared SSL.

    Thanks,
    Mike

  3. Bart
    Member
    Posted 3 years ago #

    Hi Mike,

    Thanks for answering so quickly.

    Question: Is being logged in on both http and htpps not a security thread?
    Having admin access over htpp defeats the whole purpose of using SSL

    I mean, when I am logged in over http WordPress has to send the normally secure session cookies with user credentials over http, which make them vulnerable for session highjacking. This is a thing I really not want to happen and that's why I use SSL

    From what I know, when using the "FORCE_SSL_ADMIN" in wp-config.php WordPress uses secured cookies with user credentials only to be sent over SSL. And a "logged in" cookie used over http to chance links in the meta widget and to show the admin bar on normal pages pulled over http. When I click on a "Dashboard" link it's a https link. on the https connection the browser includes the secured cookies with credentials. When only the normal not secure "logged in" cookie is present and no secure cookies with user credentials are present WordPress and the https Dashboard link is clicked WordPress doesn't receive the secure credentials cookies and redirects to the login screen.

    So secure login cookies are never send over http. And this never should be done when using Dashboard over SSL.

    What I understand and please correct me if I am wrong, the new option will send cookies with user credential over both http and https. If this is the case, I think this is a really, really bad idea. It defeats the whole purpose using SSL in the first place...

    If you are only sending the normal "logged in" cookie over the http it's OK. This is what wordpress default does when using the "FORCE_SSL_ADMIN" directive in wp-config.php

    But this still leaves me with the CDN issue. I really like to have a way to connect directly with my server using the ssl.mydomain.com for both the Dashboard and the site it self. The Dashboard should run over https / SSL The site can be just be non secure http like the standard setup using the "FORCE_SSL_ADMIN" directive.

    So implementing a rewriting option in this way only rewrite the normal links from mydomain.com to ssl.mydomain.com and leave http to http. The WP "logged in" cookies do work over the normal http connection, cause it's the same domain. And al functions well, admin bar, dashboard links etc.

    So this method doesn't have to interfere with the "Force SSL Exclusively" option. That still can do it's job.

    Which brings me to the consideration that your plugin is already great, but unfortunately lakes a other great feature, which would it make even more generic in using SSL over a alternative (sub)domain. If you would consider this extra option it would be really great.

    Point is, options may be mutually exclusive, that's really no problem. Just state it clearly as you have don with the "FORCE_SSL_ADMIN" directive and "Force Shared SSL Admin" option.

    It just makes a better plugin, that can be used in different fields.
    Shared hosting environments with SSL on a different domain.
    CDN setups that don't support SSL and let users access WordPress over a aliased domain to manage and view there sites, directly.

    The viewing directly on the aliased domain bypassing the CDN is really important, to avoid looking at a outdated page cached by the CDN

    Which brings me to my last point: A bug / unexpected behavior I ran into testing different options and combinations.

    When I check the options: Shared SSL and
    Force Shared SSL Admin (or use the "FORCE_SSL_ADMIN" directive instead of Force Shared SSL Admin) And I check "Force SSL Exclusively" It renders my site inaccessible, with the message: "Too many redirects." In Safari and in Firefox: "Firefox has detected that the server is redirecting the request for this address in a way that will never complete."

    So these two functions are conflicting which each other anyway. I don't know if these functions where intended to work together or are in fact mutually exclusive , but they don't at this time. For me that's no problem as I wouldn't use this function anyway.

    Thanks for working on this plugin and willing to answer user questions like mine.

  4. Mike Ems
    Member
    Plugin Author

    Posted 3 years ago #

    Hey mcBart,

    The method you describe is exactly what I'm doing to ensure that the admin bar and admin features on the public site remain visible.

    If I'm understanding your request correctly, you just want the admin bar to show up on your regular HTTP site when you've logged into your admin panel using Shared SSL? If that's the case, that's what I'm already working on. If not, please clarify.

    I'm not sure if managing CDN functionality is within the scope of this plugin.

    Also, your server configuration is probably throwing a false positive in the is_ssl() method in the plugin, causing a redirect loop. This is obviously not intended and I use the same configuration of options on a few websites. I wouldn't mind taking a look at your site and diagnosing exactly why that's occuring. I know you don't use the option, but another user with the same configuration could be having that issue, and I'd like my plugin to work everywhere. :)

    Thanks,
    Mike

  5. Bart
    Member
    Posted 3 years ago #

    Hi Mike,

    Thanks for clarifying. Clade that your method is what I described.

    To be sure we understand each other I describe my setup.

    I have hosting which always using SLL on the same URL as the norma http connection
    So I am a happy camper with this. I can also use the server self signed certificate on the SSL connection, so no need for dedicated IP or dedicated certificate. I only use SSL for the Dashboard not for securing customer connections, but if I would I could buy an extra IP and a certificate and install it right away via the DirectAdmin control panel, my host uses.

    So on first sight I don't need to use your plugin. Then CDN (content delivery network) comes in. The free CDN I like to use doesn't allow SSL connections so after activating the CDN, which means changing my name servers so all traffic is route through there
    system, I can not use SSL to secure Dashboard access. So I have to fix this. The way to do this is to bypass the CDN using a subdomain that I exclude from there service which is ease to configure.

    E.g. I use the subdomain bypasscdn.mydomain.com to get directly to my server. This way I am able to SSL for the Dashboard again.

    In the DirectAdmin control panel on my server, I set a domain alias bypasscdn.mydomain.com to mydomain.com (or every other alias subdomain name I like to use.) Now bypasscdn.mydomain.com points to the same public_html with my wordpress installation directory as mydomain.com does.

    Now I try to use bypasscdn.mydomain.com to connect to WordPress and to login to the Dashboard. WordPress doesn't accept me login attempts over the bypasscdn.mydomain.com

    At this point your plugin comes in to fix things.
    I can set bypasscdn.mydomain.com as the "Shared SSL" domain = https://bypasscdn.mydomain.com and things work :-) I can login via bypasscdn.mydomain.com bypassing the SSL limitation of the CDN. In this stage I don't use SLL for my visitors so things are fine.

    There is only one caveat in this setup, that makes working with it not a very good experience. When I want to preview a post or my site by clicking a preview or visit my site button, the links in the Dashboard for doing this point to mydomain.com. Normally this is not a problem, but using the CDN it is. I get the by the CDN cached version not the version directly from my server. (I also don't get the admin bar in this stage, but that's quit obvious )

    So what I would like, is a option in your plugin that translates all http links to bypasscdn.mydomain.com. This way all the traffic is bypassing the CDN and is directly from my server.

    You already did the translation with all the https link so I guess it's not that difficult to implement. So I hope you will consider this option. It is particularly useful working with bypassing CDN's I think this would be a great addition to the functionality of the plugin. It makes the plugin more universal for this and many other usages, like security. Think of not allowing SSL on main domain with force ssl no one can even attempt to login (like automatic scripts) unless you know the "Shared ssl" domain which can be a whole other domain. Just think of it :-)

    I would be very happy if you would add this little option.

    Concerning the bug. If I have some time I can setup a user account for you in my reseller account. Push a wordpress installation, install your plugin and you can have a look at what happens when checking the different options. You will have access to the DirectAdmin fir the specific user panel which has a file browser in which you can delete the plugin when the site gets stuck in a loop. It also has Apache user and error log, but no shell.

    Just let me know

    Cheers, Bart

  6. Mike Ems
    Member
    Plugin Author

    Posted 3 years ago #

    Hey Bart,

    Is using a CDN for an entire website common practice? Every time I've used one, I've used a CDN plugin to forward all requests to static content (images, stylesheets, scripts, etc.) to the CDN, and kept my WordPress site hosted as-is. If you take that route and combine that with a good WordPress caching plugin, your load times should be nearly the same. Also, with a caching plugin you can disable caching for logged in users, so you wouldn't have to worry about seeing old content.

    All I really need is an admin account on a bare WordPress installation that has the ability to modify plugins and I should be able to work out what's going on in no time.

    Thanks,
    Mike

  7. Bart
    Member
    Posted 3 years ago #

    Hi Mike,

    Thanks for your reply.

    The CDN I'll preparing to use is the free cloudfire service. So that works a bit differently. It has some advantages too. More security better tracking and it keeps serving your pages also when your hostingserver is

      offline

    . Drawback is you can run into the caching thing I mentioned. Cloudflare works through chancing your DNS server to there's. On the CF account you ca easily exclude a subdomain from there CDN service.
    It's fast and it's free for non SSL usage.

    So I'll like to prepare for that and have a way to totally bypass https and http via the subdomain. Your plugin with the extra option I mentioned would be ideal for that. :-)

    By the way which CDN are you using? (I'am always in to learning new techniques :-)

    Can you get me your e-mail address? I'll mail you login details as soon as I'll have it set up. Think I'll find some time to do this some where in the next couple of days.

    Cheers, Bart

  8. Moogle Stiltzkin
    Member
    Posted 3 years ago #

    Hi mvied.

    I tested your plugin to only work on a specific page on my site and it works.

    But i am getting errors for my ssl, but that is most likely my ssl setup rather than your plugin, so no worries.

    The best free CDN is cloudflare https://www.cloudflare.com/. It protects your site from ddos attacks for the most part, and also increase your website loading time as your site is cached on the cloudflare servers located in many different countries. Best of all it's free.

    Problem is, it requires that you own your own domain name, which i don't :{ I'm using a free dyndns url sub domain.

    But yes CDN is a very popular and wise choice for website designers. There is no real reason why it shouldn't be used :} unless of course your using a free dyndns :{

    Anyway this is my site

    http://mognet.no-ip.info/

    When you browse to the downloads > test > anime downloads, it will then prompt to use https just as your plugin promised it would :}

    https://mognet.no-ip.info/test/anime-download-test/

    So yeah this is the demo proving the plugin works =^-^=; kudos.

    Could you kindly teach me how do i set the SSL to work on login pages only as well ?

    As well as admin pages (as a separate option). Because like i said, my ssl setup isn't configured properly so i don't want to enable admin page on ssl just yet until i fixed everything up. But for regular user logins, i want to set to use ssl.

    Any other suggestions where else on the site ssl could be useful ?

    The reason why i don't have my main page use ssl, is because i am using a free ssl. Most newbies don't know how to deal with the ssl warning page that pops up saying the site is unsafe. They most often just ignore your site when that pops up.

    So to let it be less unobtrusive, i only want to use it for wordpress member logins only for now.

  9. Mike Ems
    Member
    Plugin Author

    Posted 3 years ago #

    Hi Moogle,

    You can find instructions for securing logins and/or the admin panel here http://codex.wordpress.org/Administration_Over_SSL

    Let me know if you have any questions.

    Thanks,
    Mike

  10. Bart
    Member
    Posted 3 years ago #

    Hi Mike,

    I have setup a test account for you and mailed you via your blog / site to get in contact with you via e-mail.

    Haven't heard from you since then. Please let me know how to contact you so I can mail you login details.

    Cheers, Bart

  11. Mike Ems
    Member
    Plugin Author

    Posted 3 years ago #

    Hey Bart,

    Sorry, I've been a bit busy. Email the details to mike[at]mvied[dot]com.

    Thanks,
    Mike

  12. Mike Ems
    Member
    Plugin Author

    Posted 3 years ago #

    Hey Bart,

    I've been working on this feature, but there's one little nuance that makes it not work perfectly. I've got it so that any links to pages and posts are forced to use the Shared SSL host when logged in using Shared SSL, but if you happen to click on a link that goes to the standard HTTP version of the site, there is no way to force the links and redirects back to the Shared SSL host since the authentication was done over Shared SSL. WordPress uses cookies for authentication and since the cookies are set on the Shared SSL host, the HTTP site can't detect that the user is logged in. It's not perfect, but I think it'll work for your needs.

    It would be great if you could give it a test run. If you're happy with the way it works, it'll be in the next version.

    Download: http://downloads.wordpress.org/plugin/wordpress-https.zip

    Inside, there will be a wordpress-https.php file. Replace your current wordpress-https.php file in the /wp-content/plugins/wordpress-https/ folder with that one and let me know how it works.

    Thanks,
    Mike

  13. Bart
    Member
    Posted 3 years ago #

    Hi Mike,

    Apologies for my late reply. It's been a hectic time the past weeks.

    I Downloaded the plugin file and installed it in the Mike's testing blog.

    The links to post and and pages work great :-) This is what I wished for :-)
    However the link "Visit site" in the adminbar still has a normal http link. Is it possible to also rewrite that link to point to https://SSL. the way you did with the view posts and pages links. The "Visist site" link in the adminbar is a very frequent used link when I am working on my blogs. So that would be really a valuable addition.

    By the way. The "Force SSL Exclusively" bug is still present also with the new code. You still have access to the test blog. To test it your self. Just activate the option and open the site in a new tab / window. This way you will be able to switch of the option in the first window, the backend still function, only the front end is affected.

    If you need any assistance please let me know.

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • WordPress HTTPS (SSL)
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic