Dear people,
our moodle site runs behind an ssl offloading proxy. Besides that i still have set loginhttps='1', which to my understanding should be no problem. I have also altered some of the cookie settings, especially cookiesecure='1'. If so the cookiesecure security check always fails because loginhttps is enabled. I don't understand how a forced login via https could interfere with secure cookies, so could anyone explain why the check fails or might it be a bug?
Regards,
Michael
Ours is HTTPS sitewide, and we don't have loginhttps set. At a guess, the security check fails on any other page as it's not HTTPS sitewide.
We don't have cookiesecure set, for those that do (so can answer more than I right now) you need to confirm if you're doing sitewide HTTPS via your reverse proxy, or just on the login page.
Is there any setting in Moodle to set HTTPS sitewide or do you reference to enforcing redirects to https if an unencrypted request comes in? If the latter i can confirm it is configured like this most of the time. Though it happens that a new domain might not redirect to https at first until our proxy admins alter their configuration. That's why i still left loginhttps enabled.
In config.php, change wwwroot to https://yourdomain and sslproxy to true (we don't do the sslproxy setting, as we have the certificate on our local server - that way, internal clients hit that first which is faster, but they still get a valid https connection).
https://docs.moodle.org/33/en/Transitioning_to_HTTPS}
has more details
https://docs.moodle.org/33/en/Search_and_replace_tool (updates all your links to https)
