I'm installing Moodle for the first time on Fedora Core 6 with SSL Logons.
I have noticed that I can log on using BOTH the secure and non secure pages (https://mysite/login and http://mysite/login). I double-checked that "Use HTTPS for Logins" is enabled, and it is.
Interestingly, when I disable SSL in Apache I can still login using http://mysite/login. ("Use HTTPS for Logins" is still enabled)
Does anybody know what can cause this?
I thought that maybe it would work if a moved the login folder out of my html root and pointed the ssl virtual directory to the new location, so in theory no non-https access will be alowed.
I will test this and re-post
Okay, i sort of got it i think. I doubt this is the recommended method but here goes.
Created a new folder /var/www/ssl_html and moved the login folder there.
Then i modified my ssl virtual directory to point to this new dir. Moodle then complained about missing config.php etc, so I created links to all the folders and files in the moodle directory.
It worked until i logged out. Of course logout.php is not ssl, so i created a new empty login folder in the non-ssl area and moved logout.php into there.
Works fine!
If anybody knows of a better way, please let me know!
Actually (and I'm a noob web admin, so admit I could very well be wrong), thinking about it in retrospect, it seems that it's obviously up to the server admin to have to require SSL on the login directory by some means. Moodle is doing it's part by directing the login files to an https url, but it can't force the server to not accept anything but an SSL connection on those files; that has to be done by the admin.
Again, I could very well be in the wrong here. It was easy enough in IIS to require a certificate on the login directory. I don't know apache, but maybe there's something that could simply be put in an .htaccess file in the login directory to require SSL?
...
just did a quick google search on it, and this site might prove helpful.
