Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-42834

Deprecate loginhttps

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide

      Before running these instructions, set up SSL on your machine. See http://docs.moodle.org/27/en/Apache#SSL for instructions. If you are on Ubuntu, you can use the snakeoil cert instead of generating a cert http://charles.lescampeurs.org/2012/01/14/ubuntu-11-10-setting-up-apache2-and-ssl-with-self-signed-certificate

      Before upgrading

      1. Set the moodle wwwroot to have "http://" at the beginning
      2. Enable loginhttps
      3. Log out and make sure you can login (to test https)
      4. Upgrade moodle
        1. Ensure your moodle instance is now on https://
        2. Make sure there is no longer an entry in the config table for loginhttps
        3. Verify that the forgotten password link, login and changing of passwords work
      5. Go to the create user page, click on the help icons next to some of the text boxes, verify the help box is displayed
      6. Go to the notifications page. (<your_moodle>/admin/index.php)
        1. Make sure you see "HTTPS for logins has now been deprecated. This instance is now forced to SSL. To remedy this warning change your wwwroot in config.php to https://"
      7. Manually go to login/index.php. Click cancel.
        1. Make sure you are redirected to the dashboard.
      8. Log out
        1. Make sure you are taken to the home page
      9. Log in again
      10. Go to Site administration ▶︎ Plugins ▶︎ Authentication ▶︎ Manage authentication
      11. Enable self registration
      12. Copy your keys from https://www.google.com/recaptcha/admin into the recaptcha fields at the bottom of that page
      13. Go to Site administration ▶︎ Plugins ▶︎ Authentication ▶︎ Email-based self-registration
      14. Enable recaptcha for self registration
      15. Log out
      16. Try to sign up
      17. Make sure the captcha is shown
      18. Log in as admin
      19. Go to dashboard
      20. Upload some files to my private files and in folders
      21. Use the tree / hierarchical view. Make sure you see the images successfully.
      22. Set the moodle wwwroot to have "https://" at the beginning
      23. Load any page in moodle
        1. Make sure there is no longer an entry in the config table for overridetossl
      24. Go to the login page
        1. Verify that the forgotten password link, login and changing of passwords work and use https
      25. Click on the help icons next to some of the text boxes, verify the help box is displayed
      26. Set your wwwroot back to http
        1. Verify that the site now uses http again with no warning about loginhttps
      27. Insert a new row in the table with name: loginhttps and value: true
      28. Go to the login page
        1. Verify that the forgotten password link, login and changing of passwords work and use http

      Fresh install

      1. Install moodle on a url with "http://" at the beginning (or use mdk or cli moodle, check that the wwwroot in config.php has 'http://' at the beginning)
      2. Verify that the forgotten password link, login and changing of passwords work
      3. Go to Site Administration>Security>HTTP Security
      4. Verify that the login https setting is not visible
      5. Enable Gravatar at Administration > Site administration > Users > Permissions > User policies
      6. Edit a user's profile
      7. Set the user's email to an address that you know has a gravatar (jlokely@gmail.com works)
      8. Verify that the user's picture is shown
      9. Open the image in a new tab, check that the url has "http://" at the beginning
      10. Log out
      11. Change the site's wwwroot in config.php to have "https://" at the beginning
      12. Use the forgotten password link, log in, change your password, verify that it is all https and works
      13. View the user's profile, verify that the gravatar picture is shown
      14. Open the image in a new tab, check that the url has "https://" at the beginning
      Show
      Before running these instructions, set up SSL on your machine. See http://docs.moodle.org/27/en/Apache#SSL for instructions. If you are on Ubuntu, you can use the snakeoil cert instead of generating a cert http://charles.lescampeurs.org/2012/01/14/ubuntu-11-10-setting-up-apache2-and-ssl-with-self-signed-certificate Before upgrading Set the moodle wwwroot to have "http://" at the beginning Enable loginhttps Log out and make sure you can login (to test https) Upgrade moodle Ensure your moodle instance is now on https:// Make sure there is no longer an entry in the config table for loginhttps Verify that the forgotten password link, login and changing of passwords work Go to the create user page, click on the help icons next to some of the text boxes, verify the help box is displayed Go to the notifications page. (<your_moodle>/admin/index.php) Make sure you see "HTTPS for logins has now been deprecated. This instance is now forced to SSL. To remedy this warning change your wwwroot in config.php to https://" Manually go to login/index.php. Click cancel. Make sure you are redirected to the dashboard. Log out Make sure you are taken to the home page Log in again Go to Site administration ▶︎ Plugins ▶︎ Authentication ▶︎ Manage authentication Enable self registration Copy your keys from https://www.google.com/recaptcha/admin into the recaptcha fields at the bottom of that page Go to Site administration ▶︎ Plugins ▶︎ Authentication ▶︎ Email-based self-registration Enable recaptcha for self registration Log out Try to sign up Make sure the captcha is shown Log in as admin Go to dashboard Upload some files to my private files and in folders Use the tree / hierarchical view. Make sure you see the images successfully. Set the moodle wwwroot to have "https://" at the beginning Load any page in moodle Make sure there is no longer an entry in the config table for overridetossl Go to the login page Verify that the forgotten password link, login and changing of passwords work and use https Click on the help icons next to some of the text boxes, verify the help box is displayed Set your wwwroot back to http Verify that the site now uses http again with no warning about loginhttps Insert a new row in the table with name: loginhttps and value: true Go to the login page Verify that the forgotten password link, login and changing of passwords work and use http Fresh install Install moodle on a url with "http://" at the beginning (or use mdk or cli moodle, check that the wwwroot in config.php has 'http://' at the beginning) Verify that the forgotten password link, login and changing of passwords work Go to Site Administration>Security>HTTP Security Verify that the login https setting is not visible Enable Gravatar at Administration > Site administration > Users > Permissions > User policies Edit a user's profile Set the user's email to an address that you know has a gravatar (jlokely@gmail.com works) Verify that the user's picture is shown Open the image in a new tab, check that the url has "http://" at the beginning Log out Change the site's wwwroot in config.php to have "https://" at the beginning Use the forgotten password link, log in, change your password, verify that it is all https and works View the user's profile, verify that the gravatar picture is shown Open the image in a new tab, check that the url has "https://" at the beginning
    • Affected Branches:
      MOODLE_26_STABLE, MOODLE_32_STABLE, MOODLE_34_STABLE
    • Fixed Branches:
      MOODLE_34_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-42834_master
    • Story Points:
      40
    • Sprint:
      3.4 Sprint 5

      Description

      In my opinion, it's about time we deprecated and removed the loginhttps config setting and sealed this potential leak.

      It was removed from Mahara over three years ago (https://bugs.launchpad.net/mahara/+bug/646713) for two primary reasons:

      • it broke AJAX login; and
      • there can be times where an http link is present on an https page.

      In Moodle we don't have AJAX login, and we have mitigated against the https -> http issue by always setting the wwwroot to the current schema.

      However, it would be really super nice if we could have AJAX login, and I don't feel that the reasons which once prevented forced use of HTTPS throughout a site are as strong as they used to be. Hardware performance is far better than it was five years ago; it's been proven how easy it is to steal sessions from non-ssl so these things are no longer theoretical or even hard; and SSL is far more widespread.

      As it is, we already load all additional content (e.g. CSS, JS, image) over SSL so it's now just the actual page content which is not.

      We no longer have issues with third-party plugins not supporting SSL (e.g. YouTube, Vimeo, etc).

      I'd like to propose that we drop support for loginhttps.

      (more documentation changes: http://docs.moodle.org/27/en/Apache)

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                7 Vote for this issue
                Watchers:
                24 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  13/Nov/17