Fixes #2918

* Adding new setting force_ssl that will automatically redirect all http:// requests to the https:// equivalent. This ensures better security for the piwik server, since the token_auth is often found in the response body or in the GET parameters. git-svn-id: http://dev.piwik.org/svn/trunk@5815 59fd770c-687e-43c8-a1e3-f5a4ff64c105

Fixes #2918
79809cc8 · mattpiwik · 2a9348ca · 79809cc8 · 79809cc8 · 79809cc8
--- a/config/global.ini.php
+++ b/config/global.ini.php
@@ -164,6 +164,12 @@ session_save_handler = files
 ; If set to 1, Piwik redirects the login form to use a secure connection (i.e., https).
 force_ssl_login = 0

+; If set to 1, Piwik will automatically redirect all http:// requests to https://
+; If SSL / https is not correctly configured on the server, this will break Piwik
+; If you set this to 1, and your SSL configuration breaks later on, you can always edit this back to 0 
+; it is recommended for security reasons to always use Piwik over https
+force_ssl = 1
+
 ; login cookie name
 login_cookie_name = piwik_auth


--- a/core/FrontController.php
+++ b/core/FrontController.php
@@ -254,6 +254,16 @@ class Piwik_FrontController
 				exit;
 			}

+			
+			if(Zend_Registry::get('config')->General->force_ssl == 1
+				&& !Piwik::isHttps())
+			{
+				$url = Piwik_Url::getCurrentUrl();
+				$url = str_replace("http://", "https://", $url);
+				Piwik_Url::redirectToUrl($url);
+			}
+				
+				
 			$pluginsManager = Piwik_PluginsManager::getInstance();
 			$pluginsToLoad = Zend_Registry::get('config')->Plugins->Plugins->toArray();
 			$pluginsManager->loadPlugins( $pluginsToLoad );

--- a/plugins/Login/Controller.php
+++ b/plugins/Login/Controller.php
@@ -465,16 +465,14 @@ class Piwik_Login_Controller extends Piwik_Controller
 	protected function checkForceSslLogin()
 	{
 		$forceSslLogin = Zend_Registry::get('config')->General->force_ssl_login;
-		if($forceSslLogin)
+		if($forceSslLogin
+			&& !Piwik::isHttps())
 		{
-			if(!Piwik::isHttps())
-			{
-				$url = 'https://'
-					. Piwik_Url::getCurrentHost()
-					. Piwik_Url::getCurrentScriptName()
-					. Piwik_Url::getCurrentQueryString();
-				Piwik_Url::redirectToUrl($url);
-			}
+			$url = 'https://'
+				. Piwik_Url::getCurrentHost()
+				. Piwik_Url::getCurrentScriptName()
+				. Piwik_Url::getCurrentQueryString();
+			Piwik_Url::redirectToUrl($url);
 		}
 	}
 }