1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XF 1.2 Only Make Login SSL?

Discussion in 'XenForo Questions and Support' started by DRE, Oct 30, 2013.

  1. DRE

    DRE Well-Known Member

    How do I make it so that members can only login through SSL but the rest of the site is not SSL?
  2. Jeremy P

    Jeremy P Well-Known Member

    Why not just serve the whole site with SSL and make use of SPDY? It really shouldn't add too much additional load. I run a 100,000+ post forum with SSL via nginx+php-fpm on a budget (<$4/month) VPS.
    HWS, digitalpoint and Dinh Thanh like this.
  3. Dinh Thanh

    Dinh Thanh Well-Known Member

    Great price, where is it?
  4. DRE

    DRE Well-Known Member

    Making the whole site SSL means I won't be able to use a lot of BB Media Sites because some don't support SSL and I would have to buy a more expensive SSL to use the vanity urls multi-site feature of Better Blogs. All I really need is the login portion.
  5. digitalpoint

    digitalpoint Well-Known Member

    I assume you are trying to prevent a man in the middle attack so someone can't get user's login credentials. Kind of a moot point to just do it on the login page though since login credentials are transmitted on every request within cookies if the user chooses to stay logged in. You won't get actual password, but you could still log in as them.

    Better to go full SSL really (or just not at all since doing just the login is kind of pointless).
  6. CountRock

    CountRock Member

    Partly true, but since most users reuse their passwords everywhere we can do our part on keeping the passwords save while in transit and still get have all the positives of running a site over HTTP.

    I would be interested in this too, if someone can make a plugin to enable logins over HTTPS! That would be awesome!
  7. digitalpoint

    digitalpoint Well-Known Member

    What are the positives of running a site over HTTP? I can only think of negatives (less secure, slower/inability to use SPDY, etc)
    Jeremy P likes this.
  8. Mouth

    Mouth Well-Known Member

    Ad networks/marketplaces that don't properly support https source servers.
    Addons/code that hard codes http without supporting scheme, causing https insecure alerts
  9. Jeremy P

    Jeremy P Well-Known Member

    Those are drawbacks to HTTPS but I wouldn't say they're advantages to HTTP. Honestly I probably wouldn't want to run an addon who's maintainer is unwilling to fix something so trivial. Ad networks are a whole different thing though.

Share This Page