How secure is the login/registration form?

Jaxel

Jaxel

Well-known member
I have a user on one of my forums, asking about security through logins. His complaint is that our website is not HTTPS; so the login form is potentially insecure as data is submitted in the clear.

Now, putting the forum behind SSL is not an option. As we do a lot through Twitch/YouTube/etc, and not all those services support HTTPS. For instance, you can't reliably embed a Twitch stream on an HTTPS server, since they don't have methods to handle that and you get mixed-content errors.

Is there a way to make the login form more secure?
 
Sort by date Sort by votes
Not really.

XenForo sets the 'ssl only' flag if the cookie touches an ssl connection, after which point every sane browser will throw the cookie away if it touches http.

It doesn't actually win you very much to login via https and then have your session token transmitted in clear text.
 
  • Like
Reactions: HWS
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

Mouth
  • Question Question
XF 2.2 Lost password log - how frequently is the lost password form being triggered?
Replies
0
Views
118
Mouth
Mouth
L
XF 2.2 Xenforo Login Issues
Replies
0
Views
258
leebo
L
X
  • Question Question
XF 1.5 How Can I Edit the Registration/Login Page?
Replies
14
Views
801
XnForFanKN
X
X
XenForo search errors instead of reporting the search is too long
Replies
0
Views
204
Xon
X
X
XF\Mvc\Entity\Manager\getFinder does not reliably return the same type depending on class extensions
Replies
0
Views
422
Xon
X
Top Bottom