Index: t3lib/config_default.php =================================================================== RCS file: /cvsroot/typo3/TYPO3core/t3lib/config_default.php,v retrieving revision 1.74 diff -u -b -B -r1.74 config_default.php --- t3lib/config_default.php 17 Oct 2005 09:53:49 -0000 1.74 +++ t3lib/config_default.php 19 Oct 2005 12:25:34 -0000 @@ -117,7 +117,7 @@ 'sessionTimeout' => 3600, // Integer, seconds. Session time out for backend users. Default is 3600 seconds = 1 hour. 'IPmaskList' => '', // String. Lets you define a list of IP-numbers (with *-wildcards) that are the ONLY ones allowed access to ANY backend activity. On error an error header is sent and the script exits. Works like IP masking for users configurable through TSconfig. See syntax for that (or look up syntax for the function t3lib_div::cmpIP()) 'lockBeUserToDBmounts' => 1, // Boolean. If set, the backend user is allowed to work only within his page-mount. It's advisable to leave this on because it makes security easy to manage. - 'lockSSL' => 0, // Int. 0,1,2: If set (1+2), the backend can only be operated from an ssl-encrypted connection (https). Set to 2 you will be redirected to the https admin-url supposed to be the http-url, but with https scheme instead. + 'lockSSL' => 0, // Int. 0,1,2,3: If set (1+2+3), the backend can only be operated from an ssl-encrypted connection (https). Set to 2 you will be redirected to the https admin-url supposed to be the http-url, but with https scheme instead. If set to 3, only the login is forced to SSL, then the user switches back to non-SSL-mode 'enabledBeUserIPLock' => 1, // Boolean. If set, the User/Group TSconfig option 'option.lockToIP' is enabled. 'loginSecurityLevel' => '', // String. Keywords that determines the security level of login to the backend. "normal" means the password from the login form is sent in clear-text, "challenged" means the password is not sent but hashed with some other values, "superchallenged" (default) means the password is first hashed before being hashed with the challenge values again (means the password is stored as a hashed string in the database also). DO NOT CHANGE this value manually; without an alternative authentication service it will only prevent logins in TYPO3 since the "superchallenged" method is hardcoded in the default authentication system. 'adminOnly' => 0, // Int. If set (>=1), the only "admin" users can log in to the backend. If "<=-1" then the backend is totally shut down! For maintenance purposes. Index: t3lib/class.t3lib_userauth.php =================================================================== RCS file: /cvsroot/typo3/TYPO3core/t3lib/class.t3lib_userauth.php,v retrieving revision 1.25 diff -u -b -B -r1.25 class.t3lib_userauth.php --- t3lib/class.t3lib_userauth.php 19 Jun 2005 22:48:48 -0000 1.25 +++ t3lib/class.t3lib_userauth.php 19 Oct 2005 12:25:36 -0000 @@ -494,6 +497,13 @@ if ($this->writeDevLog && $activeLogin) t3lib_div::devLog('User '.$tempuser[$this->username_column].' logged in from '.t3lib_div::getIndpEnv('REMOTE_ADDR').' ('.t3lib_div::getIndpEnv('REMOTE_HOST').')', 't3lib_userAuth', -1); if ($this->writeDevLog && !$activeLogin) t3lib_div::devLog('User '.$tempuser[$this->username_column].' authenticated from '.t3lib_div::getIndpEnv('REMOTE_ADDR').' ('.t3lib_div::getIndpEnv('REMOTE_HOST').')', 't3lib_userAuth', -1); + if($GLOBALS['TYPO3_CONF_VARS']['BE']['lockSSL'] == 3 && $this->user_table == 'be_users') { + $requestStr = substr(t3lib_div::getIndpEnv('TYPO3_REQUEST_SCRIPT'), strlen(t3lib_div::getIndpEnv('TYPO3_SITE_URL').TYPO3_mainDir)); + if($requestStr == 'alt_main.php' && t3lib_div::getIndpEnv('TYPO3_SSL')) { + list(,$url) = explode('://',t3lib_div::getIndpEnv('TYPO3_SITE_URL'),2); + header('Location: http://'.$url.TYPO3_mainDir.'alt_main.php'); + } + } } elseif ($activeLogin OR count($tempuserArr)) { $this->loginFailure = TRUE; Index: t3lib/class.t3lib_tsfebeuserauth.php =================================================================== RCS file: /cvsroot/typo3/TYPO3core/t3lib/class.t3lib_tsfebeuserauth.php,v retrieving revision 1.22 diff -u -b -B -r1.22 class.t3lib_tsfebeuserauth.php --- t3lib/class.t3lib_tsfebeuserauth.php 19 Jun 2005 22:48:48 -0000 1.22 +++ t3lib/class.t3lib_tsfebeuserauth.php 19 Oct 2005 12:25:38 -0000 @@ -653,7 +653,7 @@ // ********************** // Check SSL (https) // ********************** - if (intval($TYPO3_CONF_VARS['BE']['lockSSL'])) { + if (intval($TYPO3_CONF_VARS['BE']['lockSSL']) && $TYPO3_CONF_VARS['BE']['lockSSL'] != 3) { if (!t3lib_div::getIndpEnv('TYPO3_SSL')) { return FALSE; } Index: typo3/init.php =================================================================== RCS file: /cvsroot/typo3/TYPO3core/typo3/init.php,v retrieving revision 1.23 diff -u -b -B -r1.23 init.php --- typo3/init.php 4 Oct 2005 11:58:15 -0000 1.23 +++ typo3/init.php 19 Oct 2005 12:25:38 -0000 @@ -181,8 +181,14 @@ // Check SSL (https) // ********************** if (intval($TYPO3_CONF_VARS['BE']['lockSSL'])) { - if (!t3lib_div::getIndpEnv('TYPO3_SSL')) { - if ($TYPO3_CONF_VARS['BE']['lockSSL']==2) { + if ($TYPO3_CONF_VARS['BE']['lockSSL'] == 3) { + $requestStr = substr(t3lib_div::getIndpEnv('TYPO3_REQUEST_SCRIPT'), strlen(t3lib_div::getIndpEnv('TYPO3_SITE_URL').TYPO3_mainDir)); + if($requestStr == 'index.php' && !t3lib_div::getIndpEnv('TYPO3_SSL')) { + list(,$url) = explode('://',t3lib_div::getIndpEnv('TYPO3_REQUEST_URL'),2); + header('Location: https://'.$url); + } + } elseif (!t3lib_div::getIndpEnv('TYPO3_SSL') ) { + if ($TYPO3_CONF_VARS['BE']['lockSSL'] == 2) { list(,$url) = explode('://',t3lib_div::getIndpEnv('TYPO3_SITE_URL').TYPO3_mainDir,2); header('Location: https://'.$url); // Just point us away from here... } else {