Discussion in 'XenForo Questions and Support' started by DRE, Oct 30, 2013.
How do I make it so that members can only login through SSL but the rest of the site is not SSL?
Why not just serve the whole site with SSL and make use of SPDY? It really shouldn't add too much additional load. I run a 100,000+ post forum with SSL via nginx+php-fpm on a budget (<$4/month) VPS.
Great price, where is it?
Making the whole site SSL means I won't be able to use a lot of BB Media Sites because some don't support SSL and I would have to buy a more expensive SSL to use the vanity urls multi-site feature of Better Blogs. All I really need is the login portion.
I assume you are trying to prevent a man in the middle attack so someone can't get user's login credentials. Kind of a moot point to just do it on the login page though since login credentials are transmitted on every request within cookies if the user chooses to stay logged in. You won't get actual password, but you could still log in as them.
Better to go full SSL really (or just not at all since doing just the login is kind of pointless).
Partly true, but since most users reuse their passwords everywhere we can do our part on keeping the passwords save while in transit and still get have all the positives of running a site over HTTP.
I would be interested in this too, if someone can make a plugin to enable logins over HTTPS! That would be awesome!
What are the positives of running a site over HTTP? I can only think of negatives (less secure, slower/inability to use SPDY, etc)
Ad networks/marketplaces that don't properly support https source servers.
Addons/code that hard codes http without supporting scheme, causing https insecure alerts
Those are drawbacks to HTTPS but I wouldn't say they're advantages to HTTP. Honestly I probably wouldn't want to run an addon who's maintainer is unwilling to fix something so trivial. Ad networks are a whole different thing though.
Separate names with a comma.