Not planned Force https for login

This suggestion has been closed. Votes are no longer accepted.
Speaking of your primary suggestion based on the title, this isn't something we plan to do as it provides little effective improvement. If the page that displays your login page is not offered over SSL, the whole process can still be MITM attacked. Further, you then require cookies to be sent over a non-SSL connection (no "secure" flag), which means that they can be stolen by a MITM which would also allow account access.

If SSL is to be used, it should be used everywhere.
 

Similar threads

K
Possible security issue: API Login Token always allows permanent login
Replies
0
Views
404
Kirby
K
S
Require password reset upon login
Replies
2
Views
327
stromb0li
S
SpecialK
  • Solved
XF 2.2 Best way to handle forced login via connected account?
Replies
8
Views
722
mattrogowski
mattrogowski
Korsch
XF 2.2 External login
Replies
2
Views
504
Korsch
Korsch
T
  • Question Question
XF 2.2 Login limit method (User fails to log in 4 times in a 15 minute)
Replies
3
Views
346
topkurs2
T
Top Bottom