HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Please upgrade here. These earlier versions are no longer being updated and have security issues.

Problem: Vanilla 1.1.10 default installation settings

edited April 2010 in Vanilla 2.0 - 2.8
I'm pleasantly surprised to have come across this forum implementation.

However, there's a rather fundamental issue with the default installation routine that should probably be changed or risk having some users throw up their hands when it doesn't work the first time and search for another forum package.

The default installation creates a login form ("form id="frmSignIn") that defaults to an HTTPS protocol. I couldn't figure out why I couldn't login after the wicked simple implementation and it took about 10 minutes to figure out the obvious. I'm sure you'd agree that default installation shouldn't do this.

Comments

  • Hmm, neither of my local copies have the form defaulted to https and I don't remember specifically changing them... I'll try a fresh download and install and see what happens.
  • StashStash
    edited April 2010
    No https for me. I wonder why you go it?

    This is the source for the login page I get right after installing:
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&gt;
    <html xmlns="http://www.w3.org/1999/xhtml&quot; xml:lang="en-ca">
    <head>
    <title>temp - Sign In</title>
    <link rel="shortcut icon" href="/temp/themes/vanilla/styles/default/favicon.ico" />
    <link rel="stylesheet" type="text/css" href="/temp/themes/vanilla/styles/default/people.css" media="screen" />
    <script type="text/javascript" src="/temp/js/global.js"></script></head>
    <body onload="Focus('txtUsername');">
    <div id="SiteContainer"><div class="SiteContainer SignIn">

    <h1>temp</h1><div id="Form" class="SignInForm">
    <fieldset><form id="frmSignIn" method="post" action="http://dev.lan/temp/people.php"><div><input type="hidden" name="PostBackAction" value="SignIn" />
    <input type="hidden" name="ReturnUrl" value="" />
    </div><ul>
    <li>
    <label for="txtUsername">Username</label>
    <input id="txtUsername" type="text" name="Username" value="" class="Input" maxlength="20" />
    </li>

    <li>
    <label for="txtPassword">Password</label>
    <input id="txtPassword" type="password" name="Password" value="" class="Input" />
    </li>
    <li id="RememberMe">
    <label for="RememberMeID"><input type="checkbox" name="RememberMe" value="1" id="RememberMeID" /> Remember me</label>
    </li>

    </ul>
    <div class="Submit"><input type="submit" name="btnSignIn" value="Proceed" class="Button" /></div>
    </form>
    </fieldset>
    <ul class="MembershipOptionLinks">
    <li class="ForgotPasswordLink"><a href="http://dev.lan/temp/people.php?PostBackAction=PasswordRequestForm">Forgot your password?</a></li>
    <li class="ApplyForMembershipLink"><a href="http://dev.lan/temp/people.php?PostBackAction=ApplyForm">Apply for membership</a></li>
    </ul>
    </div></div></div>
    <div class="Foot SignIn"><a href="http://lussumo.com">Lussumo Vanilla, Swell, and People</a> Copyright &copy; 2001-2009</div></body>

    </html>
  • Just to be sure it wasn't something on my end, I removed the installation and the database, rebooted the server, and tried it from scratch again. It did, in fact, set the "action" in the login form to HTTPS. Now... I *do* have an SSL cert installed on this machine and for my domain so I wonder if that could have something to do with it.
  • I think someone reported a similare bug, but I haven't been able to reproduce it...
  • What does conf/settings.php looks like?
  • Before I changed it, it was HTTPS everywhere.
Sign In or Register to comment.