1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How secure is the login/registration form?

Discussion in 'XenForo Questions and Support' started by Jaxel, Dec 30, 2014.

  1. Jaxel

    Jaxel Well-Known Member

    I have a user on one of my forums, asking about security through logins. His complaint is that our website is not HTTPS; so the login form is potentially insecure as data is submitted in the clear.

    Now, putting the forum behind SSL is not an option. As we do a lot through Twitch/YouTube/etc, and not all those services support HTTPS. For instance, you can't reliably embed a Twitch stream on an HTTPS server, since they don't have methods to handle that and you get mixed-content errors.

    Is there a way to make the login form more secure?
  2. Xon

    Xon Well-Known Member

    Not really.

    XenForo sets the 'ssl only' flag if the cookie touches an ssl connection, after which point every sane browser will throw the cookie away if it touches http.

    It doesn't actually win you very much to login via https and then have your session token transmitted in clear text.
    HWS likes this.

Share This Page