I've searched and searched for references on a clear solution to secure Joomla 1.0.x / Mambo 4.5.x sites without having to install a separate directory without success.  So this article has some tips and hints and hacks to configure a secure Joomla or Mambo site.

• Having secure sections of a web site is useful to protect documents and give users a sense of security. 

• Joomla 1.5 (previously 1.1) has introduced a feature that allows securing pages by selecting an SSL option for the content.  Unfortunately that is not available yet, and the official stable release of 1.5 is not really known, they seem to be behind in their anticipated release schedule and are in the Alpha 2 stage.  If you want Joomla 1.5 to be released sooner, it would help that you download and test their alpha/beta release, and submit any bugs or suggestions, etc.  It's a good idea to submit your suggestions for ease of use as well instead of waiting until the final release, as it may be easier to make such changes now than when the code has been finalized.

• For now, if you want to secure a section of your site without having to install a separate mirror instance of the files in a seperate folder, make sure your ISP allows you to point SSL traffic to the same folder as the port 80 traffic, if not they may be able to make the change for you.

This workaround is not perfect, but it works. First, modify your configuration.php:

if ($_SERVER["SERVER_PORT"] == 443) {
  $mosConfig_live_site = 'https://www.samalander-os.com/cms';
} else {  $mosConfig_live_site = 'http://www.samalander-os.com/cms'; } 

This should be self explanitory for those who know a bit about PHP.   With this modification, you will now be able to view your entire site either securely or normally. The only problem is, if you save your configuration through global configuration, this gets overwritten.  I haven't had the time to develop a "hack" in the admin code to add this string to the configuration.php when saved through the admin, but it could be done.

After the user logs in all communication will be secure for pages viewed thereafter.  The problem now is once the person logs out the system, all the pages are still viewed in SSL.  The following setup redirects the user to the non-secure home page of the site when logging out. 

Note: I hacked the main menu link (Login/Logout) to the login component through SQL to point to the full URI for SSL (i.e. I added the 'https://' to the entry).  I did this so that when someone clicks the logout button after they login, the component will redirect users that log out to the non-secure URI specified in the parameters in the link menu.  If you can't do this, there is another workaround by simply using a web link to the login component.  Be sure to include the full URI in the paramaters.  Then set the login module to appear above the menu.  Set the permissions to Registered so that the logout button will appear above the main menu (or wherever you want it) after users log in.  Finally, configure the module (similar to the menu link to the component) to redirect the users to non-secure pages after they click the logout button.