XF 1.2 Only Make Login SSL?

DRE

DRE

Well-known member
How do I make it so that members can only login through SSL but the rest of the site is not SSL?
 
Sort by date Sort by votes
Jeremy P said:
Why not just serve the whole site with SSL and make use of SPDY? It really shouldn't add too much additional load. I run a 100,000+ post forum with SSL via nginx+php-fpm on a budget (<$4/month) VPS.
Click to expand...
Making the whole site SSL means I won't be able to use a lot of BB Media Sites because some don't support SSL and I would have to buy a more expensive SSL to use the vanity urls multi-site feature of Better Blogs. All I really need is the login portion.
 
Upvote 0 Downvote
I assume you are trying to prevent a man in the middle attack so someone can't get user's login credentials. Kind of a moot point to just do it on the login page though since login credentials are transmitted on every request within cookies if the user chooses to stay logged in. You won't get actual password, but you could still log in as them.

Better to go full SSL really (or just not at all since doing just the login is kind of pointless).
 
Upvote 0 Downvote
digitalpoint said:
I assume you are trying to prevent a man in the middle attack so someone can't get user's login credentials. Kind of a moot point to just do it on the login page though since login credentials are transmitted on every request within cookies if the user chooses to stay logged in. You won't get actual password, but you could still log in as them.

Better to go full SSL really (or just not at all since doing just the login is kind of pointless).
Click to expand...

Partly true, but since most users reuse their passwords everywhere we can do our part on keeping the passwords save while in transit and still get have all the positives of running a site over HTTP.

I would be interested in this too, if someone can make a plugin to enable logins over HTTPS! That would be awesome!
 
Upvote 0 Downvote
CountRock said:
Partly true, but since most users reuse their passwords everywhere we can do our part on keeping the passwords save while in transit and still get have all the positives of running a site over HTTP.
Click to expand...
What are the positives of running a site over HTTP? I can only think of negatives (less secure, slower/inability to use SPDY, etc)
 
Upvote 0 Downvote
Those are drawbacks to HTTPS but I wouldn't say they're advantages to HTTP. Honestly I probably wouldn't want to run an addon who's maintainer is unwilling to fix something so trivial. Ad networks are a whole different thing though.
 
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

Steffen
Adding a Passkey implicitly enables 2FA which effectively disables password-based login and unexpectedly makes account recovery impossible
Replies
0
Views
36
Steffen
Steffen
Mr Lucky
  • Question Question
XF 2.2 Make Location show on registration form as optional - not as required
Replies
8
Views
371
Opus X
Opus X
R
  • Solved
XF 2.2 How do I make the article appear with the image and title only?
Replies
11
Views
131
Rodina
R
S
  • Question Question
XF 2.3 Cancel New User Registration, Login Only with Other Site User
Replies
0
Views
25
SelamT
S
P
Protect non-XenForo directory with XenForo login
Replies
8
Views
163
philmckrackon
philmckrackon
Back
Top Bottom