Hi there,

I have recently installed a SSL cert on my website and it is set to encypt admin access (backend) and via the login module. I do not wish to allow SSL for the entire site as this is not required and has a large impact on the page loading time.

The backend and login modules of the website are working fine with the SSL but the JomSocial login on the community page is not and visitors to my site who login in this manner are doing so insecurely. Is there a way to set the JomSocial login to use SSL or is there a way to disable the JomSocial login module on the community homepage?

Hi J,

To be honest, you can't disable Jomsocial login module. If you want to make this login module disappear and only use joomla default login, you must edit this file (components/com_community/templates/default/frontend.guest.php)

Warm Regards,
David

Thanks David. Your response certainly helps if I need to remove this part of the page. Of course, I would rather not have to do this. Do you or anyone else know of a way of getting the login, registration and forgot password etc. parts of the community homepage to work with SSL.

If this has not already been implemented I would have thought it was extremely important for social based software. Otherwise isn't it very difficult for any website using Jomsocial to abide their own privacy policy which on account of law in several countries should state that the data collector knows where personal data is being stored and how it is being used? How can this policy be upheld if data cannot be protected during transfer to the server?

I know you can protect the entire site with SSL but this has a drastic implication of site optimization and page loading times. Making these login and registrations elements SSL compatible seems much more logical.

Hi J,

So do you want avoid the people steal your user datas? well, we cant help you too much with SSL method which this is beyond our support.

But Jomsoical has privacy features (public/private/membersonly), maybe you can use that feature as well.. maybe it will minimalize the people steal your datas.

Hi Dimas,

I'm sorry, there must be some confusion.

The vulnerability I am talking about only comes from using the login part of JomSocial...



When a guest is on my website SSL is not used as the guest is not able to input into any fields until they log on. I believe this is a standard setup.

When a user logs into the website using the normal joomla login module, the pages changes to HTTPS and the data is encrypted during transfer to the server.





However, when a user logs in using the JomSocial login module...





SSL is not used to encrypt the data while sending the information and the data can be intercepted.





As you can see, this has nothing to do with Jomsocial privacy features. When information is put into Jomsocial and set to private or members only, it is still being sent to the server unencrypted if the user has logged on using the Jomsocial login rather than the standard Joomla login module. Hense, the JomSocial login is causing a vulnerability in my website.

I would like to know how I can get the jomsocial login to use SSL in the same manner as the standard Joomla login module. This should not involve altering the SSL metherod... I would have thought it would involve providing an option in the backend of Jomsocial to make the jomsocial login use SSL the same as there is for the standard joomla login module. If this is not possible I would like the option to remove the jomsocial login module from the community page which would then force users to login using the standard Joomla module.

I hope this makes the problem clearer. I apologize again from any previous confusion.

kinds regards,

j

Hi J,

If you scared about jomsocial privacy features maybe you can consider my suggestion, just hack jomsocial frontpage code to make jomsocial login module disappear so you only use joomla default login?

About SSL login, i have been reported this to our developer, i hope in the future we can improve this login page :)

Warm Regards,

David

Ok, thanks for your help.