Force SSL Login


#1

Hello

In my situation it is not possible to use force_ssl=1 in the config.ini.php file for more than one reason. One reason are the scripts which are using the API, an other the web cron. I can’t change that! I guess I’m not alone with this problem.

My suggestion is to introduce a special flag only for the web login. For example: force_ssl_login = 1

Do you have other or better ideas?

Thank you for the discussion


(Matthieu Aubry) #2

I had to remove this setting because it was kind of hard to enforce properly. Remove force_ssl_login setting -> only support force_ssl for security · Issue #4001 · matomo-org/matomo · GitHub

Maybe we could allow the API to be used over HTTP with a new config setting?

what are the other reasons not to use force_ssl ?


#3

I think it’s a good idea to separate the ssl flag for the login from the ssl flag for the API and the web cron.

The two reasons I have listetd above: Web cron an API. The scripts which are using the API are running on an old linux server with no possibility for ssl requests. I won’t change this. I’m sure you know the saying “Never touch a running system.”