Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
jsConnect conflicting with SSL Controllers Plugin
jcwebdev
New
Hi folks,
I'm running jsConnect for SSO with Vanilla and Wordpress but whenever I turn on SSL Controllers, the Sign In link loads a blank popup.
I've tried changing the Sign In URL to http from https in the jsConnect settings but the same thing happens.
Has anyone else had this problem? How did they fix it?
0
Comments
I've disabled jsConnect and found that this is with the signin popup as opposed to jsConnect. Is anyone else encountering this?
Ok, I see that the plugin is supposed to do this as the sign in popup loads using AJAX which isn't secure. I think secure sessions can be used but I've tried configuring the plugin and it doens't change its behaviour.
What isn't secure? Loading an asset/form has nothign to do with secure sessions. Vanilla uses secure sessions, you haven't even logged on yet. Messing around with it could make it less secure.
jsConnect is a three part handshake.
I think the problem you are having is with mixed content. You want to disable that button anyway if you are using jsConnect, and the popup preferably.
You need to make sure that the registration type is connect.
you can set
note the last one, probably best just to hide the sign out link, as you won't have the nonce,transient key, of the connecting app.
set
Youc could hide the sign in/sign out link, an block it using routes, server rules. Just make sure you don't block the routes that jsConnect uses.
grep is your friend.
The problem is with SSL Controllers. After a bit of digging around, I discovered that the AJAX sign in popup is problematic because you are requesting a secure sign in from a non-https page. As such, the popup loads but no content displays in it.
The link to the sign in page works perfectly however, as the user is then sending data to the server from a https page. I got around the problem by using JS to remove the class that caused the link to popup.
I created a custom plugin and loaded this:
class CustomJSPlugin extends Gdn_Plugin {
$(document).ready(function() { $("#Frame ul li a").removeClass("SignInPopup"); });public function Base_Render_Before(&$Sender)
{
$JavaScript = '
';
// Send it to the Header of the page
$Sender->Head->AddString($JavaScript);
}
}
that is exact what I said mixed content.
You could just
copy default.master.php to your theme and remove the class from that. just search for SignInPopup.
alternatively you could use hooks, to riffle through the menu items, and their attributes. A bit more complex but possible.
grep is your friend.
Thanks for the help; no harm in using a plugin to add functionality but it is nice to know about these alternatives.