Support

Admin Tools

#25025 Site remains in https after log out

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Saturday, 04 June 2016 17:20 CDT

Tuesday, 26 April 2016 16:06 CDT

Dakota09
 Hello, hoping you can help me- on this site, www.maplerivergolfclub.com, there is a module at the bottom for members to login, or for new members to request to join.

The process works fine, but when one logs in, the site will go to https protocol automatically. Additionally, after signing out, it stays in https.

Probably not related, but when in https, it drops a lot of the CSS, as the navigation menu and H2 & H3 titles will go to a default font.

Is any of this tied into AdminTools or the .htaccess file? I am having trouble understanding what I need to do.

Thanks!
TN

Wednesday, 27 April 2016 01:07 CDT

nicholas
First of all, what you are asking has nothing to do with Admin Tools. That makes it outside our support scope.

What you describe is the intended behavior of Joomla!. It makes no sense logging in through HTTPS and then switching back to unencrypted HTTP. This would make it possible for hackers to perform a session hijacking attack by stealing the insecure, unencrypted cookies.

Since early 2011 Google has dispelled the myth that HTTPS is computationally expensive. They have said that the impact of HTTPS to the server load was between 1% and 2% which is completely insignificant. As a result the advice for the past 5 years has been to go full HTTPS on your site. In fact, the new HTTP protocol (HTTP/2) doesn't even support unencrypted communications any more.

Considering that you are making this support request to a company publishing web security software, our advice is to enable HTTPS throughout your site by default. You can do so by first going to the Global Configuration of your site and setting Force SSL to Entire Site. Then, if you are using Admin Tools' .htaccess Maker, make sure you enable the HSTS Header option (it tells the browser to never bother contacting your site through unencrypted HTTP).

Regarding the missing CSS, I suspect that you are referencing external fonts with plain HTTP URLs, i.e. URLs that start with http:// instead of https:// (HTTPS) or // (let the browser decide). When you are visiting the site over HTTPS these are considered "insecure content" and will either cause a scary warning dialog to appear (older browsers) or will be silently ignored (newer browsers). Audit your CSS and adjust the URLs of external resources.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 03 May 2016 09:03 CDT

Dakota09
Thanks Nicholas, I will look at the CSS and call outs!

Saturday, 04 June 2016 17:20 CDT

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.
Edited by on 2016-06-04 17:20 CDT

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!