• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

XF 1.2 Only Make Login SSL?

DRE

Well-known member
#4
Why not just serve the whole site with SSL and make use of SPDY? It really shouldn't add too much additional load. I run a 100,000+ post forum with SSL via nginx+php-fpm on a budget (<$4/month) VPS.
Making the whole site SSL means I won't be able to use a lot of BB Media Sites because some don't support SSL and I would have to buy a more expensive SSL to use the vanity urls multi-site feature of Better Blogs. All I really need is the login portion.
 

digitalpoint

Well-known member
#5
I assume you are trying to prevent a man in the middle attack so someone can't get user's login credentials. Kind of a moot point to just do it on the login page though since login credentials are transmitted on every request within cookies if the user chooses to stay logged in. You won't get actual password, but you could still log in as them.

Better to go full SSL really (or just not at all since doing just the login is kind of pointless).
 
#6
I assume you are trying to prevent a man in the middle attack so someone can't get user's login credentials. Kind of a moot point to just do it on the login page though since login credentials are transmitted on every request within cookies if the user chooses to stay logged in. You won't get actual password, but you could still log in as them.

Better to go full SSL really (or just not at all since doing just the login is kind of pointless).
Partly true, but since most users reuse their passwords everywhere we can do our part on keeping the passwords save while in transit and still get have all the positives of running a site over HTTP.

I would be interested in this too, if someone can make a plugin to enable logins over HTTPS! That would be awesome!
 

digitalpoint

Well-known member
#7
Partly true, but since most users reuse their passwords everywhere we can do our part on keeping the passwords save while in transit and still get have all the positives of running a site over HTTP.
What are the positives of running a site over HTTP? I can only think of negatives (less secure, slower/inability to use SPDY, etc)
 

Jeremy P

Well-known member
#9
Those are drawbacks to HTTPS but I wouldn't say they're advantages to HTTP. Honestly I probably wouldn't want to run an addon who's maintainer is unwilling to fix something so trivial. Ad networks are a whole different thing though.