Topic: https session authenication problem - SSL issue
Hi all, the forum I help admin is moving to a https based service. I'm not sure whether the problem I am experiencing is punbb based or server based. Hopefully if the problem cannot be solved here at least the problem area can be identified. I will give a quick outline of what's happening first.
Here are the important details:
Pun version: 1.3.2
db: MySQL
server: Apache/2.0.52 (Red Hat)
httpdocs\{forum-root} ~ http://{base-url} -> working perfectly
httpsdocs\{forum-root} ~ https://{base-url} -> authentication issues
The https is kind of working. If already logged into the http version you can can the url to https and browse the forum and read posts no problem. If you try and post you recieve the error msg:
Warning! The following errors must be corrected before your message can be posted:
* Unable to confirm security token. A likely cause for this is that some time passed between when you first entered the page and when you posted the form. Clicking "Submit" again should solve the problem.
Clicking Submit again just repeats the message.
The real issue. When logged out of a session and trying to log into the https version of the login page you get the following messages on the login.php page:
Please confirm or cancel your last action
Unable to confirm security token. A likely cause for this is that some time passed between when you first entered the page and when you submitted a form or clicked a link. If that is the case and you would like to continue with your action, please click the Confirm button. Otherwise, you should click the Cancel button to return to where you were.
'Confirm' 'Cancel' (buttons)
When clicking confirm you get the following Security Warning popup:
Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party.
Are you sure you want to continue sending this information?
After clicking the Continue button I am redirected to this url:
http://{base-url}:443/login.php
with the following message:
Bad Request
Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.
Hint: https://127.0.0.1/
Apache/2.0.52 (Red Hat) mod_ssl/2.0.52 OpenSSL/0.9.7a FrontPage/5.0.2.2635 Server at 127.0.0.1 Port 443
Is it a matter of getting the above url to read
https://{base-url}/login.php
minus the :443 or is it something more complicated.
Here is the config.php file for the https install (which was just copied directly from the http install with the config file changed accordingly)
<?php
$db_type = 'mysql';
$db_host = 'xx';
$db_name = 'xx';
$db_username = 'xx';
$db_password = 'xx';
$db_prefix = '';
$p_connect = false;
$base_url = 'https://url.org';
$cookie_name = 'forum_cookie_5ca60a';
$cookie_domain = '';
$cookie_path = '/';
$cookie_secure = 0;
define('FORUM', 1);
I was mainly trying different combination of $base_url, $cookie_domain and $cookie_secure = 0 or 1 but to no avail. I have a feeling it's something fairly simple in the config file that has to be properly set. After searching for a while I couldn't find any previous anwsers to this problem if they exist.
Sorry for the length of this post if you read through it all. I thought it'd be best to include as much relevant details as possible. Apologies if this is in the wrong section, mods please move if it's not.
Thanks for taking up your time value time. I look forward to any help or hints in the right direction that anyone can provide.
If the solution is something trivial please take great pleasure in pointing it out and I shall act sufficiently bashful