2. Home
  3. Hacking Joomla!
  4. Hacking the core
  5. Running your Joomla Website over Secure Connection

Running your Joomla Website over Secure Connection

Joomla 1.5 and newer versions have full https support without any hacks being necessary. But what you can do if you want to run your Joomla 1.0 site over https for some reason? Upgrade it! ... Easy to say, I am managing even Mambo based sites, running rock solid and doing the job they have built for, so this might be out of question. Bud don't despair, You can do it! You must hack here and there...

When I first run into this problem, the hack described below wasn't published yet and I learned it on a hard way how to do it on our own. But after I build my own hack, I found this one, which is more solid, as the one I developed. Be aware, that nobody guarantees to work on every server configuration or Joomla installation. Enjoy the hacks - but on your own risk, I don't guarantee nothing here!

First and foremost: always make sure you are running the latest stable version of Joomla. Back everything up before you start! Take a deep breath, and jump in!

The simplest way of using Joomla with an SSL certificate is to run your entire site over https. To do this, you will need to add redirects from your http pages to the https versions (typically using a mod_rewrite rule in .htaccess), and make sure that the $mosConfig_live_site value in your configuration.php file contains your https URL.

However, the solution is not a very satisfactory, because running your site over https is noticeably slower than http. Typically, you will want the Joomla administrator to run over https, and the front-end website to run over http - perhaps switching to https when a user logs in. Joomla 1.0.x versions do not support this behavior natively - to get it working, it is necessary to make some small hacks to certain Joomla files. Joomla 1.0.12 is the first version to support https to a given degree natively - another reason to upgrade! -, although it will not switch automatically between http and https on login, and in our experience, it tends to revert the 'live site' setting back to http, thus not serving everything over https.

Hack no. 1.: If you want to be sure that the Joomla administrator always runs over https...

... you need to apply these hacks:

In administrator/index.php, immediately after the line that says

define( '_VALID_MOS', 1);

Add the following:

// Redirect to https if accessed over http (except when running locally)
if ($_SERVER['SERVER_NAME'] != "localhost")
{
$port = $_SERVER["SERVER_PORT"];
$ssl_port = "443"; //Change 443 to whatever port you use for
https (443 is the default and will work in most cases)
if ($port != $ssl_port) 
{
$host = $_SERVER["HTTP_HOST"];
$uri = $_SERVER["REQUEST_URI"];
header("Location: https://$host$uri");
}
}

Also add the above code to /administrator/index2.php - immediately after the require_once directives near the start.

This forces the administrator to always use https. However, if you are using IE and find that it keeps warning you about insecure items on the page, you will have to add the code from part 1 to the end of your configuration.php file instead. Don't forget, that the code you add there will be lost whenever you save the 'Global Configuration' page in Joomla, so you will either have to re-add it after saving, or preferably make changes directly in configuration.php instead of using the Joomla 'Global Configuration' screen).

Hack no. 2.: If you want to enable the front-end to support https...

... you need the following hacks:

Since 1.0.12 it's necessary to add the following to the start of the template's index.php file (not the main Joomla index.php):

<?php
global $mosConfig_live_site;
if ($_SERVER['SERVER_PORT'] == 443)
{
$mosConfig_live_site = str_replace("http://", "https://", $mosConfig_live_site);
}
?>

In order to avoid problems with session cookies while switching from http to https, you will need to edit a line in the includes/joomla.php file. Find the line (around line 904) that says:

return md5( 'site' . $mainframe->getCfg( 'live_site' ) );

...and replace it with the following:

if (strpos($mainframe->getCfg('live_site'), 'http://localhost') !== false) {
return md5( 'site' . $mainframe->getCfg( 'live_site' ) ); 
} else {
return md5( 'site' . str_replace("http://", "", str_replace("https://", 
"", $mainframe->getCfg( 'live_site' ))) );}

These hacks enable Joomla to be able to handle both http and https. These alone however not will cause your site to automatically switch to https. There are 2 ways to achieve this:

Hack no. 2.1. Use of the Login component

Instead of using the login module, use the login component, and link to it from a menu item of type URL - specifyinghttps in the URL. For example, you could create a menu item that points to
https://www.yourdomain.com/index.php?option=com_login
- that way the entire login process is handled using https.

Hack no. 2.2. Use of the Login module

If you want to keep the login module, the login form itself will not be shown over https, however by making the following alterations, the login submission is still protected as the form will be submitted over https when the user clicks on login. In other words, it is just as secure as using Hack no.2.1, but the user will see the padlock icon just after they have logged in.

In either case, you need to make a small amendment to the login form. If you are using Hack no.2.1, the form to be altered is in the components/com_login/login.html.php file. If using Hack no.2.2, it is in modules/mod_login.php. There is nothing stopping you using both methods, in which case you will need to alter both files.

In modules/mod_login.php, look for the line that says:

<form action="" method="post" name="login" >

Replace that line with the following:

<form action="" method="post" name="login" >

If using the login module, you will also need to go into the module parameters(login to Joomla administrator, go to Modules->Site Modules, and click on the login form), and set the login URL to the https:// version of the page you want users to be directed to when they log in. If you don't do this, IE will hit you with a nasty warning message when you try to log in, and you could be redirected back to http.

You can also optionallyredirect to http when the user logs out by setting the logout URL in the module parameters. However, IE will display a warning when redirecting to http like that. To get the site back to http when logging out without the pesky warning in IE, you need to change the logout form as well. Look for the line (nearer the start of modules/mod_login.php) that says:

<form action=""
method="post" name="logout">

Make sure you get the one that says 'index.php?option=logout' in the middle. Replace it with:

<form action="" method="post" name="logout">

Unfortunately, with that change made, Firefox will give a warning when you logout. As IE is still the most popular browser though (which is the unfortunate, but changing state of the facts), the above change is probably best for the majority of your visitors. But if you ask me, I wouldn't bother with this hack.

To update the login component, go to components/com_login/login.html.php, find the line (quite near the start) that says:

<form action="" 
method="post" name="login" id="login">

Replace it with:

<form action="" method="post" name="login" id="login">

If you want to revert back to http when they log out, scroll down to the logoutpage function (near the end of the file), and find the line that says:

<form action="" 
method="post" name="login" id="login">

Replace it with:

<form action="" method="post" name="login"
id="login">

The professional company id-meneo provides all the information on agence web paris.

If you are looking for air conditioning repair air conditioning repair then visit this page .

If you are looking for testosterone pills then read more .