[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Savannah-hackers-public] Stay in https after login?
|
From: |
Sylvain |
|
Subject: |
Re: [Savannah-hackers-public] Stay in https after login? |
|
Date: |
Thu, 2 Jan 2014 23:26:48 +0100 |
|
User-agent: |
Mutt/1.5.21 (2010-09-15) |
Hi,
On Thu, Jan 02, 2014 at 02:53:16PM -0700, Bob Proulx wrote:
> There is a checkbox on the login.php page.
>
> [x] Stay in secure (https) mode after login
>
> The presented form may be accessed by either http or https. It
> defaults to checked which is good. The form submit action is always
> to an https URL which is also good. But then regardless of the
> setting of that checkbox the result is always https even if the
> checkbox is not checked. This is also good.
>
> I think this question is now obsolete and should be removed. I think
> it became obsolete when the form POST action switched to https.
> (Which was a very good thing.) Since this code was written there has
> been a big movement to make the web more secure. I think this is just
> a leftover from the old days.
>
> I will investigate a little more but I plan on removing that checkbox.
> I don't believe this will have any user visible effects.
To me this is a bug.
I also noted in a recent work environment that https was way more
restricted (proxy *whitelist* only) than plain http, so in some cases,
people may want to stay in plain http.
There may be a conflict between the choice of the checkbox and a)
HTTPSEverywhere plugin and/or b) a previous Savane cookie requesting
to switch to https.
Cheers and happy GNU year!
--
Sylvain
Re: [Savannah-hackers-public] Stay in https after login?, Karl Berry, 2014/01/02