CB Facebook Connect and SSL

Krileon,

Couple of things, I am not sure if you are able to help me or not but just to clarify:

1.) Our site is not designed to be HTTPS across the board, we are using a non EV certificate to just conform to Facebook's requirement of the main page being SSL for APPs now. This does not change the fact that when the facebook login button is pressed the URL which is accessed is NOT HTTPS, I am planning on trying to rewrite that URL to HTTPS unless you have a better way for me to fix this

2.) The validation and JS errors are caused by the horrible JS delivered through ad partners, while I am not happy about this fact, we are a ad driven company, so sadly it is a necessary evil. But if you look at the page with the Facebook API error (access to oAuthSuccess denied, there are obviously no other JS errors there). And again when not in SSL on the main page, the login link works with no issues whatsoever (so the ads or validation is not causing the postback from Facebook to fail, something else is).

3.) We are using no SEF extensions, only Joomla2.5 base SEF

4.) We are not using .htaccess files, our servers are NGINX so they use their own specific set of rules, the only ones enabled are the Joomla approved standard redirect/rewrites


If you can cannot help me find a solution (which I assume with Professional there is not another support route I should be taking), then please tell me where I can look to find the code which is actually controlling that postback/popup page, I would like to see how I can force the final page to be served via SSL (without rewriting if possible).

Thank you

we are using a non EV certificate to just conform to Facebook's requirement of the main page being SSL for APPs now.

This is not a requirement for authentication apps. You do not need to use SSL for CB Connect or its usage. SSL is only required if you have an app on Facebook it self. The way they work is they load in your application, which you host on your server, as a Canvas; that needs to be SSL, but that is not what CB Connect is so you don't need SSL at all. All API calls are with HTTPS (using cURL) so the data is secured, but again you don't need SSL on your site and just need cURL (which you likely have already, check CB Connect > Tools to confirm as it'll display an error if cURL isn't present).

This does not change the fact that when the facebook login button is pressed the URL which is accessed is NOT HTTPS, I am planning on trying to rewrite that URL to HTTPS unless you have a better way for me to fix this

The live_site in Joomla uses the schema of the current viewed page. So if your entire site isn't HTTPS then the redirect_uri when viewing your site as HTTP will be HTTP and cause your current situation. If you want to force it to HTTPS you'll need to do a str_replace on live_site in getEndpointURL, which is found in the below file.

/components/com_comprofiler/plugin/user/plug_cbconnect/cbconnect.class.php

If you can cannot help me find a solution (which I assume with Professional there is not another support route I should be taking), then please tell me where I can look to find the code which is actually controlling that postback/popup page, I would like to see how I can force the final page to be served via SSL (without rewriting if possible).

There's nothing more I can do, because this isn't a bug or issue in CB Connect. It's just bad setup of SSL. I suggest using SSL throughout your entire site or don't use it at all. It really is an all-or-nothing usage. Notice the HTTPS version of your site does not even work properly.

www.worldwideinterweb.com/

The reason for this is your site is not SSL ready. There is cross-content everywhere with over 120 cross-content warnings. It's doing this because you have live_site configured, htaccess configured, or some other form of URL rewriting in Joomla that is setting the live_site to HTTP forcing all links to HTTP.

You can see this by navigating to the above HTTPS version of your site in Chrome for example then pressing F12 and expanding the "head" element and see that all your headers are added with HTTP (not limited to CB, everything is doing this). So even if Facebook required SSL you would not meet that requirement, because your site will not pass validation.