[geeklog-devel] Geeklog HTTPS

[Dirk Haun]

Tom <websitemaster at cogeco.net> wrote:

> Anonymous users would be just HTTP until they visited the login page (obviously the login block would have to be disabled or at least not show the user name and password field). Once the user is logged in then I guess they would surf the entire site in https (or would we just use HTTPS for the user preferences, admin pages,  search and any other sensitive pages?).

See Vinny's comment in this old discussion about mixing http and https: https://www.geeklog.net/forum/viewtopic.php?showtopic=54185

If you want to have a mixed mode, you'd have to switch over to https entirely when you log in (beginning with sending the login credentials, of course).

Btw, in such a scenario, the Googlebot would still be visiting the site as an anonymous user, i.e. over http. So you won't benefit from this in terms of Google ranking. In other words, this sounds rather pointless to me (unless I'm missing something).


Switching an entire Geeklog site to https is pretty straightforward:

- change the Site URL and Admin URL to https://
- set "Cookie Secure" to True
- have a redirect in your .htaccess like so:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L]


You have to look out for embedded content, though, i.e. anything from an http URL that's embedded into your now-secure https page. Things like external images, iframes, JavaScript, etc.

I don't know about plugins like the Gallery plugin, but Geeklog itself seems to be mostly fine here, assuming you've used autotags, [imageX] tags, etc. as much as possible. There was one bug with Gravatar avatars being embedded via http, but that's been fixed in Geeklog 2.1.0 now (and is trivial to patch[1] in earlier versions).

Dirk

[1] http://project.geeklog.net/cgi-bin/hgwebdir.cgi/geeklog/rev/49750eb159e1


-- 
https://www.themobilepresenter.com/