How secure is the login/registration form?


Well-known member
I have a user on one of my forums, asking about security through logins. His complaint is that our website is not HTTPS; so the login form is potentially insecure as data is submitted in the clear.

Now, putting the forum behind SSL is not an option. As we do a lot through Twitch/YouTube/etc, and not all those services support HTTPS. For instance, you can't reliably embed a Twitch stream on an HTTPS server, since they don't have methods to handle that and you get mixed-content errors.

Is there a way to make the login form more secure?


Well-known member
Not really.

XenForo sets the 'ssl only' flag if the cookie touches an ssl connection, after which point every sane browser will throw the cookie away if it touches http.

It doesn't actually win you very much to login via https and then have your session token transmitted in clear text.
Reactions: HWS