#4512 (ok 4.4.7) ForceSSL Redirect Check

[Rob Ryan]

Forgive me if this is just a lack of understanding, I usually make this change when I install new versions and I can't see much online to give me the reasoning for why it works that way it does.

The "check HTTPS connection" in libraries/common.inc.php uses is_https to check whether a redirect should be made if ForceSSL is turned on. From is_https: "This function checks if the https protocol is used in the PmaAbsoluteUri" which as I understand it is the configuration value which is will always contain https:// if set that way.

Should it not instead use detectHttps to check if the active connection is secure to know whether a redirect is required?

Thanks.

[Cen]

I digged around this issue and my interpretation is the following:

Case 1: PmaAbsoluteUri setting is null by default, ForceSSL is true
Works like: If the requested URL is not https, then redirect to https (PmaAbsoluteUri is autopopulated)

Case 2: PmaAbsoluteUri setting is set to http, ForceSSL is true
Works like: Always redirect

Case 3: PmaAbsoluteUri setting is set to https, ForceSSL is true
Works like: Never redirect

Case 3 might be problematic because for example, you can access the login page through http and not get redirected even though ForceSSL is true. Waiting for opinion.

[Madhura Jayaratne]

Fixed with https://github.com/madhuracj/phpmyadmin/commit/47b734473e964546c5ac6f5324324f8ebf7fc3d4