From 79809cc8fb1559ab2df5377a4a887a5075dd2de1 Mon Sep 17 00:00:00 2001
From: mattpiwik <matthieu.aubry@gmail.com>
Date: Sun, 12 Feb 2012 03:21:33 +0000
Subject: [PATCH] Fixes #2918  * Adding new setting force_ssl that will
 automatically redirect all http:// requests to the https:// equivalent. This
 ensures better security for the piwik server, since the token_auth is often
 found in the response body or in the GET parameters.

git-svn-id: http://dev.piwik.org/svn/trunk@5815 59fd770c-687e-43c8-a1e3-f5a4ff64c105
---
 config/global.ini.php        |  6 ++++++
 core/FrontController.php     | 10 ++++++++++
 plugins/Login/Controller.php | 16 +++++++---------
 3 files changed, 23 insertions(+), 9 deletions(-)

diff --git a/config/global.ini.php b/config/global.ini.php
index fc3ddb1963..7e5ef14a51 100644
--- a/config/global.ini.php
+++ b/config/global.ini.php
@@ -164,6 +164,12 @@ session_save_handler = files
 ; If set to 1, Piwik redirects the login form to use a secure connection (i.e., https).
 force_ssl_login = 0
 
+; If set to 1, Piwik will automatically redirect all http:// requests to https://
+; If SSL / https is not correctly configured on the server, this will break Piwik
+; If you set this to 1, and your SSL configuration breaks later on, you can always edit this back to 0 
+; it is recommended for security reasons to always use Piwik over https
+force_ssl = 1
+
 ; login cookie name
 login_cookie_name = piwik_auth
 
diff --git a/core/FrontController.php b/core/FrontController.php
index e635d5374f..f343baca8f 100644
--- a/core/FrontController.php
+++ b/core/FrontController.php
@@ -254,6 +254,16 @@ class Piwik_FrontController
 				exit;
 			}
 
+			
+			if(Zend_Registry::get('config')->General->force_ssl == 1
+				&& !Piwik::isHttps())
+			{
+				$url = Piwik_Url::getCurrentUrl();
+				$url = str_replace("http://", "https://", $url);
+				Piwik_Url::redirectToUrl($url);
+			}
+				
+				
 			$pluginsManager = Piwik_PluginsManager::getInstance();
 			$pluginsToLoad = Zend_Registry::get('config')->Plugins->Plugins->toArray();
 			$pluginsManager->loadPlugins( $pluginsToLoad );
diff --git a/plugins/Login/Controller.php b/plugins/Login/Controller.php
index f72d56a36b..4105603b83 100644
--- a/plugins/Login/Controller.php
+++ b/plugins/Login/Controller.php
@@ -465,16 +465,14 @@ class Piwik_Login_Controller extends Piwik_Controller
 	protected function checkForceSslLogin()
 	{
 		$forceSslLogin = Zend_Registry::get('config')->General->force_ssl_login;
-		if($forceSslLogin)
+		if($forceSslLogin
+			&& !Piwik::isHttps())
 		{
-			if(!Piwik::isHttps())
-			{
-				$url = 'https://'
-					. Piwik_Url::getCurrentHost()
-					. Piwik_Url::getCurrentScriptName()
-					. Piwik_Url::getCurrentQueryString();
-				Piwik_Url::redirectToUrl($url);
-			}
+			$url = 'https://'
+				. Piwik_Url::getCurrentHost()
+				. Piwik_Url::getCurrentScriptName()
+				. Piwik_Url::getCurrentQueryString();
+			Piwik_Url::redirectToUrl($url);
 		}
 	}
 }
-- 
GitLab