Blog Documentation Try Vanilla Cloud
Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Options

jsConnect conflicting with SSL Controllers Plugin

jcwebdevjcwebdev New
edited July 2012 in Vanilla 2.0 - 2.8

Hi folks,

I'm running jsConnect for SSO with Vanilla and Wordpress but whenever I turn on SSL Controllers, the Sign In link loads a blank popup.

I've tried changing the Sign In URL to http from https in the jsConnect settings but the same thing happens.

Has anyone else had this problem? How did they fix it?

Tagged:

Comments

  • Options
    jcwebdevjcwebdev New

    I've disabled jsConnect and found that this is with the signin popup as opposed to jsConnect. Is anyone else encountering this?

  • Options
    jcwebdevjcwebdev New

    Ok, I see that the plugin is supposed to do this as the sign in popup loads using AJAX which isn't secure. I think secure sessions can be used but I've tried configuring the plugin and it doens't change its behaviour.

  • Options
    x00x00 MVP

    What isn't secure? Loading an asset/form has nothign to do with secure sessions. Vanilla uses secure sessions, you haven't even logged on yet. Messing around with it could make it less secure.

    jsConnect is a three part handshake.

    I think the problem you are having is with mixed content. You want to disable that button anyway if you are using jsConnect, and the popup preferably.

    You need to make sure that the registration type is connect.

    you can set

    $Configuration['Garden']['Authenticator']['RegisterUrl']
$Configuration['Garden']['Authenticator']['SignInUrl']
$Configuration['Garden']['Authenticator']['SignOutUrl']

    note the last one, probably best just to hide the sign out link, as you won't have the nonce,transient key, of the connecting app.

    set

    $Configuration['Garden']['SignIn']['Popup']  = false;

    Youc could hide the sign in/sign out link, an block it using routes, server rules. Just make sure you don't block the routes that jsConnect uses.

    grep is your friend.

  • Options
    jcwebdevjcwebdev New

    The problem is with SSL Controllers. After a bit of digging around, I discovered that the AJAX sign in popup is problematic because you are requesting a secure sign in from a non-https page. As such, the popup loads but no content displays in it.

    The link to the sign in page works perfectly however, as the user is then sending data to the server from a https page. I got around the problem by using JS to remove the class that caused the link to popup.

    I created a custom plugin and loaded this:

    class CustomJSPlugin extends Gdn_Plugin {
    public function Base_Render_Before(&$Sender)
    {
    $JavaScript = '

    $(document).ready(function() { $("#Frame ul li a").removeClass("SignInPopup"); });

    ';
    // Send it to the Header of the page
    $Sender->Head->AddString($JavaScript);
    }
    }

  • Options
    x00x00 MVP

    that is exact what I said mixed content.

    You could just

    copy default.master.php to your theme and remove the class from that. just search for SignInPopup.

    alternatively you could use hooks, to riffle through the menu items, and their attributes. A bit more complex but possible.

    grep is your friend.

  • Options
    jcwebdevjcwebdev New

    Thanks for the help; no harm in using a plugin to add functionality but it is nice to know about these alternatives.

Sign In or Register to comment.