Support

Akeeba Ticket System

#42026 AJAX Error – Unable to Change Ticket Status from Frontend (Mixed Content & Token Issue)

Posted in ‘Akeeba Ticket System for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
5
PHP version
8.3
Akeeba Ticket System version
lasta

Latest post by nicholas on Thursday, 19 June 2025 07:51 CDT

Thursday, 19 June 2025 06:01 CDT

crlombardia

Dear Akeeba Support Team, I’m experiencing a critical issue with the Akeeba Ticket System (ATS) on Joomla 5.0.x. When attempting to change the ticket status via the status dropdown in the frontend interface, the AJAX request fails, and the browser console reports the following:

 What happens:

  • Clicking on a status in the dropdown triggers an AJAX call to: index.php?option=com_ats&task=ticket.ajax_set_status&format=json&id={ID}&status={STATUS}

  • The request is blocked due to Mixed Content — it is sent over HTTP even though the site is fully served over HTTPS.

  • The browser blocks the request and returns this error: Mixed Content: The page at 'https://[site]' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://[site]/index.php?...'. This request has been blocked.

🧪 Attempts already made:

  • Ensured force_ssl = 2 in Joomla configuration.php

  • Checked .htaccess redirect rules

  • Verified live_site is not defined

  • Confirmed no hardcoded HTTP URLs are in the template or JS

  • Cleared Joomla and browser cache

  • Changed Joomla template to Cassiopeia → issue persists

  • Verified that backend status change works without issues

❗️Error in network trace:

 The request is shown as: Request URL: http://[domain]/index.php?option=com_ats&task=ticket.ajax_set_status&...
Status Code: (blocked:mixed-content)

❓Request:

Could you please advise:

  1. Why the generated AJAX URL defaults to HTTP instead of HTTPS even though systemPaths.root is correct?

  2. Is this a known issue or misconfiguration?

  3. Is there an official override or patch to force HTTPS for all frontend AJAX calls in ATS?

Thank you for your support.

Best regards,

Frank

Thursday, 19 June 2025 07:51 CDT

nicholas

The request is blocked due to Mixed Content — it is sent over HTTP even though the site is fully served over HTTPS.

Our software does not determine the URL; Joomla itself does, as we're using its frontend router API which is the ultimate point of truth for converting non-SEF URL paths (such as index.php?option=com_example) to relative or absolute URLs on your site (e.g. /foo/example and https://www.example.com/foo/example respectively).

Joomla automatically determines whether your site is using HTTP or HTTPS, and uses the same protocol when generating the routed URL. Therefore, the question is why does Joomla think that your site is being accessed over HTTP when you are using an HTTP URL. There are exactly two reasons this can happen.

You've already checked the first reason ($live_site being defined wrong in configuration.php), which leaves us with the second reason – and, in fact, the reason the $live_site configuration option exists in the first place.

The problem is that your server does not pass the HTTPS environment variable at all, or it contains the wrong information. There are two reasons for this:

  1. A server misconfiguration results in no HTTPS environment variable, or it's erroneously hard-coded to always return any value other than on.
  2. Your site is behind a load balancer, CDN, or reverse proxy which accesses your site's server over plain HTTP. Additionally, the load balancer either does not send the X-Forwarded-Proto HTTP header at all, or your server does not parse the X-Forwarded-Proto HTTP header to update its HTTPS environment variable..

The ideal solution is to track down which of these two root causes is the culprit and fix it.

In case you cannot do that, this is exactly the use case for $live_site. You would have to set it to the HTTPS version of your site's URL, e.g.

public $live_site = 'https://www.example.com';

Setting the $live_site tells Joomla to forego its auto-detection and use the scheme (https://) , domain name (www.example.com) and path (none in this example) present in the $live_site configuration variable. Essentially, this exists so you can mitigate the effects of a server misconfiguration without having to address to misconfiguration itself.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!