[Plugin: WordPress HTTPS (SSL)] Cookies mandatory?!

Resolved jean-gui
(@jean-gui)

14 years, 1 month ago
Hi,

After the upgrade to 3.0 and 3.0.1, our site doesn’t work if you have cookies deactivated. Instead, the following content appears in the source code:
```

<script type="text/javascript">function getCookie(a){var b=document.cookie;var c=a+"=";var d=b.indexOf("; "+c);if(d==-1){d=b.indexOf(c);if(d!=0)return null}else{d+=2;var e=document.cookie.indexOf(";",d);if(e==-1){e=b.length}}return unescape(b.substring(d+c.length,e))}if(getCookie("wp_proxy")!=true){if(window.location.protocol=="https:"){document.cookie="wp_proxy=1; path=/; expires=Wed, 20-Apr-2022 16:48:03 GMT"}else if(getCookie("wp_proxy")==null){document.cookie="wp_proxy=0; path=/; expires=Wed, 20-Apr-2022 16:48:03 GMT"}if(getCookie("wp_proxy")!=null){window.location.reload()}else{document.write("You must enable cookies.")}}</script>
<noscript>Your browser does not support JavaScript.</noscript>
```
This behaviour is pretty bad. Cookies or js are not supposed to be mandatory to browse our website (we actually have a few users who don’t enable cookies) and tends to go against the rules of our company.

For now I have commented out the following piece of Hooks.php, but I don’t know if I broke anything else by doing so:
```
if ( ! $this->getPlugin()->isSsl() && ! isset($_COOKIE['wp_proxy']) ) {
                        add_action('init', array(&$this, 'proxy_check'), 1);
                        add_action('admin_init', array(&$this, 'proxy_check'), 1);
                        add_action('login_head', array(&$this, 'proxy_check'), 1);
                }
```
Also somewhat related, it appears that this plugin forces HTTPS on xmlrpc.php. But the client library included in WordPress (IXR) to access this xmlrpc server doesn’t seem to support HTTPS. So, while I think your plugin is doing the right thing since xmlrpc requires to login, it feels weird that one wordpress script (class IXR) is not able to use a script the very same provides (xmlrpc.php).

While I don’t quite understand what this proxy thing is doing, it really seems to be doing it in the bad way, by requiring cookies, and then replacing the output by some javascript code. Moreover, inserting JS is only meaningful for HTML documents. While we were debugging v3.0, we got this code inserted in the output of xmlrpc.php which makes absolutely no sense in XML-RPC world.

Are you planning to revamp that feature to make it less intrusive? Or maybe allow to deactivate it?

Thanks!

http://wordpress.org/extend/plugins/wordpress-https/

Viewing 11 replies - 1 through 11 (of 11 total)

Plugin Author mvied
(@mvied)

14 years, 1 month ago

Hey jean-gui,

It’s already removed in the development version. I hope to push it out today.

Thanks,
Mike

ELsMystERy
(@elsmystery)

14 years, 1 month ago

I just noticed that this issue broke my cron jobs, causing me to get the following messages when the jobs ran:

<!– WordPress HTTPS Proxy Check –>
<script type=”text/javascript”>function getCookie(a){var b=document.cookie;var c=a+”=”;var d=b.indexOf(“; “+c);if(d==-1){d=b.indexOf(c);if(d!=0)return null}else{d+=2;var e=document.cookie.indexOf(“;”,d);if(e==-1){e=b.length}}return unescape(b.substring(d+c.length,e))}if(getCookie(“wp_proxy”)!=true){if(window.location.protocol==”https:”){document.cookie=”wp_proxy=1; path=/; expires=Thu, 21-Apr-2022 00:00:03 GMT”}else if(getCookie(“wp_proxy”)==null){document.cookie=”wp_proxy=0; path=/; expires=Thu, 21-Apr-2022 00:00:03 GMT”}if(getCookie(“wp_proxy”)!=null){window.location.reload()}else{document.write(“You must enable cookies.”)}}</script>

I had to disable WordPress HTTPS and go back to the wp_config hack.

Plugin Author mvied
(@mvied)

14 years, 1 month ago

Hey all,

This should be fixed in 3.0.2.

Thanks,
Mike

ELsMystERy
(@elsmystery)

14 years, 1 month ago

Mike,

If you fix it, I will use it, but as a professional programmer I can tell you there is no point in being rude and ignoring people. It’s your product, it should play well, you should play well.

Plugin Author mvied
(@mvied)

14 years, 1 month ago

Hey ELsMystERy,

You caught me at a bad time. I’m sorry. I was getting a few emails an hour about the plugin and most of them were extremely unhelpful. I also have a regular job with its own pressures. I was stressed.

If you look at my history of support topics, you’ll find that I’m very helpful. This plugin didn’t get almost a perfect 5 star rating because I was rude and unhelpful. I had a recent period of inactivity due to personal issues, but I’m here now.

Thanks,
Mike

Thread Starter jean-gui
(@jean-gui)

14 years, 1 month ago

Hi,

I’ll try the new version next week. Thanks!

ELsMystERy
(@elsmystery)

14 years, 1 month ago

Mike,

I understand completely. I must commend you for addressing and replying to support requests. That’s more than some people do. I myself have lost sleep trying to get my site done and a lot of that seems to be trying to solve problems with getting cron jobs to run properly. I just recently switched from using another CMS to WordPress and am still learning the ins and out of the core functionality.

I do like your program, it does save the time of having write code to get pages to run with SSL and then troubleshoot mixed content errors. If I can solve this contact form issue I am dealing with, I will try to go through WP HTTPS and see if I can help you (I’ll let you know if I come up with anything). I took a brief look last night, but decided it was easier to turn it off to test the cron stuff.

I stopped writing free software a decade ago because I couldn’t deal with the tech support end. It’s difficult to focus on fixing a problem when you have to stop to discuss it all the time.

EM

Plugin Author mvied
(@mvied)

14 years, 1 month ago

Hey ELsMystERy,

Well, in 3.0.2 which I pushed out today, the proxy check is off by default and even if it is enabled, will not conflict with cron jobs or other scripts which may make requests to the WordPress site.

Let me know if it works for you.

Thanks,
Mike

ELsMystERy
(@elsmystery)

14 years, 1 month ago

I will try it now. i was just looking at alternate ways of detecting proxies, like:

if (
$_SERVER[‘HTTP_X_FORWARDED_FOR’]
|| $_SERVER[‘HTTP_X_FORWARDED’]
|| $_SERVER[‘HTTP_FORWARDED_FOR’]
|| $_SERVER[‘HTTP_VIA’]
|| in_array($_SERVER[‘REMOTE_PORT’], array(8080,80,6588,8000,3128,553,554))
|| @fsockopen($_SERVER[‘REMOTE_ADDR’], 80, $errno, $errstr, 30))
{
exit(‘Proxy detected’);
}

That would be a bit much to rewrite though.

Plugin Author mvied
(@mvied)

14 years, 1 month ago

Hey ELsMystERy,

I’m already doing most of that. The proxy check I was putting place is one that is impossible to detect with a server side language, hence why it is so obtrusive. It’s caused by a proxy being set up incorrectly. What I had in place would actually fix a site with a broken proxy, but it was just causing too many issues. Now the proxy check only occurs on admin pages if you’re logged in and you have Proxy set to ‘Auto’. Once the proxy check runs, it sets the setting accordingly to On or Off. The proxy check will no longer fix proxy issues for users of the site, it only detects the proxy. I’ll have to think about ways to fix this, although I wish people just wouldn’t use those proxies. Argh.

Thanks,
Mike

ELsMystERy
(@elsmystery)

14 years, 1 month ago

I like the switch. So far no problems with it set to off. I am leaving it there :). Cron jobs are running fine from cPanel after disabling Fast Secure Contact, which is giving me session errors (arggg – might have to use wp_crons, or try some more contact forms).

Nice work. I will let it run and see if I notice anything odd going on.

I know someone on a satellite connection and when I tried to setup a site to block proxy connections he couldn’t access it because his host runs everyone through them. Why, oh why?!

Viewing 11 replies - 1 through 11 (of 11 total)

The topic ‘[Plugin: WordPress HTTPS (SSL)] Cookies mandatory?!’ is closed to new replies.