Page Index Toggle Pages: 1
Topic Tools
Features Wish List (Read 5,241 times)
Zoro
Junior Member
**
Offline



Posts: 74
Location: U.S.A.
Re: Features Wish List
Reply #7 - Feb 5th, 2009 at 7:10am
Post Tools
batchman wrote on Feb 4th, 2009 at 3:44pm:
1) if linking to an image that is not on your server, is there any way to make it fully secure? I would guess not.


batchman, your correct on this.  The only reason I mentioned this is because Internet Explorer will show this message when a user opens a message with an embedded file from another website: "This page contains both secure and nonsecure items." Do you want to display the nonsecure items? If you answer Yes, the image is properly displayed but the page does not have a secure connection.  If you answer No, the image is not displayed but the page has a secure connection.  To work around this problem, adding the attachment to the message instead of linking directly to the file solves it completely.

deti wrote on Feb 4th, 2009 at 5:22pm:
Edit LogInOut.pl and add/replace the highlighted:


deti, the login menu worked before nicely.  With these changes, they still work and function in the same manner.  There is not a problem with login, the login page correctly accepts a username/password and then goes to the main page in a secure address https://...

After further testing, the only problem is with embedded images from our own website when a user enters http://www.domain.com/image.jpg.  However, this can easily be resolved by requiring the user to enter the address as  https://www.domain.com/image.jpg.  Batchman mentioned in his message a potential solution to this problem, shown below.

batchman wrote on Feb 4th, 2009 at 3:44pm:
2) If posting an image and it is on your server, how easy would it be to include some code in the BBC handling to automatically change all http to https when it first encounters the code?  


I have been pondering over SSL and it's potential for future use with this community forums software.  Ideally, I envision seeing YaBB have the ability to give an administrator the option of having secure connections for important functions which require protection:

1) logins
2) private messaging (PM)
3) and private administration forums

... with the rest of the forum to be in the usual non-secure address of http://..., which most importantly, are search engine friendly.

Until we reach those objectives, changing the four URL paths in the Administration menu to https://www.domain.com/community/forums makes the entire forum with all of its features secure and the most suitable option for SSL connections.  
« Last Edit: Feb 5th, 2009 at 11:33pm by Zoro »  

Everyone has the right to freedom of opinion and expression...” — United Nations declaration
The great and glorious masterpiece of man is to know how to live to purpose.” — Michel de Montaigne
Great spirits have always encountered violent opposition from mediocre minds.” — Albert Einstein
Back to top
 
IP Logged
 
deti
Legacy Dev Team
Development Team
****
Offline



Posts: 2,650
Location: Prien am Chiemsee, Germany
Re: Features Wish List
Reply #6 - Feb 4th, 2009 at 5:22pm
Post Tools
To 1): No.

To 2): Easy I think. All can be done in the Subs.pl -> sub template

Edited:
Zoro,

would you try this:
Edit LogInOut.pl and add/replace the highlighted:
Code
Select All
	}
	my $http_s = $scripturl;
	$http_s =~ s/^http:/https:/;
	$sharedlog .= qq~
			<form name="loginform" action="$http_s?action=login2" method="post">
				<input type="hidden" name="sredir" value="$INFO{'sesredir'}" />
				<div style="clear: both; padding-top: 4px; margin-left: auto; margin-right: auto; width: 600px;"> 


I don't know if it works because after the login is done over SSL, the script redirects the browser to the homepage via http:
Maybe you will get an browser warning then Embarrassed
but there is no need to load images via https: Smiley
as long you don't make login errors  Cheesy
« Last Edit: Feb 4th, 2009 at 8:21pm by deti »  

Was immer Du tun kannst
oder erträumst tun zu können,
beginne es.
Kühnheit besitzt Genie,
Macht und magische Kraft.
Beginne es jetzt.
Whatever you can do
or dream you can,
begin it.
Boldness has genius,
power and magic in it.
Begin it now.
J. W. Goethe
Back to top
WWW  
IP Logged
 
batchman
Support Team
****
Offline



Posts: 371
Location: Orlando, FL
Re: Features Wish List
Reply #5 - Feb 4th, 2009 at 3:44pm
Post Tools
1) if linking to an image that is not on your server, is there any way to make it fully secure? I would guess not.

2) If posting an image and it is on your server, how easy would it be to include some code in the BBC handling to automatically change all http to https when it first encounters the code?
  
Back to top
 
IP Logged
 
Zoro
Junior Member
**
Offline



Posts: 74
Location: U.S.A.
Re: Features Wish List
Reply #4 - Feb 4th, 2009 at 7:06am
Post Tools
deti wrote on Feb 1st, 2009 at 10:54pm:
Why didn't you update your HTML-URL-Path-settings to https://.... ?


deti, thank you for the suggestion.  At first and similar to our old forums (hard-coded option), we wanted to have only the login menu to be secured with an address of https://...,
Once logged in, the system would send the user back to the forum main menu with an address of http://...

However, with your suggestion, I changed the four path statements in the Administration | Path Settings | URL Settings to point to https://....  This option allows our entire community forum to be displayed through secure SSL.  While this method is excellent for our specific needs, during testing, we ran into this small problem when entering image URLs within a message.  For example, since our volunteer users will probably enter the addresses as http://l.yimg.com/a/i/ww/beta/y3.gif, the browser will notify future users who open that message with this message: "This page contains both secure and nonsecure items."  Thus, images from other websites can't be embedded within messages since they will not display correctly, but that can be solved by attaching a copy of the file within the message.  

In summary, I haven't decided between all http://... or https://..., since this may affect server performance if all forum communications were done through a SSL connection.  Then again, the thought of all our volunteer work, forum logins, private messaging, and other features will be private and secure is a very comforting option indeed.  Decisions, decisions...

Thank you again for your suggestion, I appreciate it very much.
« Last Edit: Feb 4th, 2009 at 7:09am by Zoro »  

Everyone has the right to freedom of opinion and expression...” — United Nations declaration
The great and glorious masterpiece of man is to know how to live to purpose.” — Michel de Montaigne
Great spirits have always encountered violent opposition from mediocre minds.” — Albert Einstein
Back to top
 
IP Logged
 
deti
Legacy Dev Team
Development Team
****
Offline



Posts: 2,650
Location: Prien am Chiemsee, Germany
Re: Features Wish List
Reply #3 - Feb 1st, 2009 at 10:54pm
Post Tools
@ The Zoro

Zoro wrote on Feb 1st, 2009 at 6:42pm:
This page contains both secure and nonsecure items.
Why didn't you update your HTML-URL-Path-settings to https://.... ?   Huh
  

Was immer Du tun kannst
oder erträumst tun zu können,
beginne es.
Kühnheit besitzt Genie,
Macht und magische Kraft.
Beginne es jetzt.
Whatever you can do
or dream you can,
begin it.
Boldness has genius,
power and magic in it.
Begin it now.
J. W. Goethe
Back to top
WWW  
IP Logged
 
Zoro
Junior Member
**
Offline



Posts: 74
Location: U.S.A.
Re: Features Wish List
Reply #2 - Feb 1st, 2009 at 6:42pm
Post Tools
Corey Chapman wrote on Jan 29th, 2009 at 3:09am:
Thank you for the suggestions.

SSL security can be done, but nothing that we have to develop. The webmaster must purchase an SSL certificate and install it on their site.


Corey, thank you for the reply, I appreciate it very much.

I have an open source LAMP server with the ability to generate a genuine 256bit SSL certificate for the website, which I've already created and currently use.  Because its self generated and managed, it saves our volunteer based website from having to pay Verisign hundreds of dollars per year for services (secure connections to the server for volunteers, not ecommerce uses) which the server already manages quite well.  Certainly, we understand that an ecommerce setting with online customers requires a Verisign partnership.  However, we only use the certificate for SSL connections for secure logins and transfers.

After importing our certificate into the Internet Explorer security certificate store folder, the browser correctly displays "SSL secured" on pages having a https://... address.

Every CGI script that I use allows for either a http://... or https://.... When I enter a login link, for example...

https://www.domain.com/community/forums/index.pl?action=login

Internet Explorer states...

Security Information

This page contains both secure and nonsecure items.

Do you want to display the nonsecure items?


If you answer "Yes", then the images and the page are displayed correctly, however, the page is not on a secure connection.

If you answer "No", then the images do not appear and the page is not displayed correctly. However, the page is now on a secure connection.

This question arises because of the way the images are coded and the path statements embedded into YaBB.  To resolve it, a secure login option with no graphics or even better, having properly pathed images to ensure they appear correctly on a secure page.

While the majority of websites wouldn't favor this feature, either because of certificate hassles or other system related reasons, the benefits this security option offers will be beneficial to have as a feature unique to YaBB.

Corey Chapman wrote on Jan 29th, 2009 at 3:09am:
YaBB.pl instead of index.pl  


The YaBB team delivered, swiftly and perfectly!  Thank you!
http://www.yabbforum.com/community/YaBB.pl?num=1233181885

Corey Chapman wrote on Jan 29th, 2009 at 3:09am:
Calendar, sub-boards, and maybe SSI will be in the future version YaBB.


JetLi has completed the Calendar and Advertisement Ads mods, which work well with our existing open source Perl advertising system.  Thank you JetLi!

Server Side Includes (SSI) would be a highly beneficial feature.  It would empower the administrator to have the ability to pull any type of forum information (certain forums, messages, authors, or calendar events, etc.) and display the text on their website's main page, effectively creating a dynamic web presence.  I firmly believe this feature would generate a tremendous amount of interest in this superb, Perl based YaBB community software.

Corey, thank you again for all that you do here, I appreciate it very much.
« Last Edit: Feb 1st, 2009 at 6:50pm by Zoro »  

Everyone has the right to freedom of opinion and expression...” — United Nations declaration
The great and glorious masterpiece of man is to know how to live to purpose.” — Michel de Montaigne
Great spirits have always encountered violent opposition from mediocre minds.” — Albert Einstein
Back to top
 
IP Logged
 
Corey Chapman
YaBB Administrator
*****
Offline



Posts: 10,015
Location: Rock Hill, South Carolina

None
Re: Features Wish List
Reply #1 - Jan 29th, 2009 at 3:09am
Post Tools
Thank you for the suggestions.

SSL security can be done, but nothing that we have to develop.  The webmaster must purchase an SSL certificate and install it on their site.

We keep YaBB.pl instead of index.pl so we get more name recognition. It also makes it easy to search Google and see what forums (and how many) use YaBB.  You can change it to index.pl if you know what you are doing (not hard really), but I try to preserve this right only to those that purchase the copyright removal license.

Calendar, sub-boards, and maybe SSI will be in the future version YaBB.  Everything else is available as mods, and I'm not sure if we'll add them as part of the default package.
  

Back to top
IP Logged
 
Zoro
Junior Member
**
Offline



Posts: 74
Location: U.S.A.
Features Wish List
Jan 29th, 2009 at 12:21am
Post Tools

Thank you to the developers of this great forum software!

I've been researching forums to find the one with features and higher security, and have selected YaBB 2.3.1.  My decision would have been made easier if the forum software had these community features.
  • Shoutbox (non-IRC) integrated within the top of the forum main menu.
  • Sub-boards capabilities.
  • Photo/Image capabilities similar to Myspace, whereby the user logs into YaBB and can then upload photo albums.
  • Photo/Image - better integration to other open source Gallery scripts.
  • For a more professional and structured presence, the main script of YaBB.pl to be changed into index.pl, for example...
    http://www.domain.com/community/forums/index.pl
    Please note, the copyright and links to credit the YaBB development team will still appear on the forums.
  • Calendar, Network (Myspace buttons), and other useful and currently available mods (thanks to JetLi and others) for a community website to be included within an installation package.
  • SSI includes and How-To's for helping administrators build an  entry page which has "includes" of top posts, moderator or administrator articles, news articles from forums, calendar events, but is displayed on the main community page, for example...
    http://www.domain.com/community/index.shtml
Thank you again for developing great forum software.
« Last Edit: Jan 29th, 2009 at 12:32am by Zoro »  

Everyone has the right to freedom of opinion and expression...” — United Nations declaration
The great and glorious masterpiece of man is to know how to live to purpose.” — Michel de Montaigne
Great spirits have always encountered violent opposition from mediocre minds.” — Albert Einstein
Back to top
 
IP Logged
 
Page Index Toggle Pages: 1
Topic Tools
 
  « Board Index ‹ Board  ^Top