Not planned Force https for login

This suggestion has been closed. Votes are no longer accepted.
Speaking of your primary suggestion based on the title, this isn't something we plan to do as it provides little effective improvement. If the page that displays your login page is not offered over SSL, the whole process can still be MITM attacked. Further, you then require cookies to be sent over a non-SSL connection (no "secure" flag), which means that they can be stolen by a MITM which would also allow account access.

If SSL is to be used, it should be used everywhere.
Top Bottom