• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Not planned Force https for login

Mike

XenForo developer
Staff member
#3
Speaking of your primary suggestion based on the title, this isn't something we plan to do as it provides little effective improvement. If the page that displays your login page is not offered over SSL, the whole process can still be MITM attacked. Further, you then require cookies to be sent over a non-SSL connection (no "secure" flag), which means that they can be stolen by a MITM which would also allow account access.

If SSL is to be used, it should be used everywhere.