[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Savannah-hackers-public] Stay in https after login?

From: Sylvain
Subject: Re: [Savannah-hackers-public] Stay in https after login?
Date: Thu, 2 Jan 2014 23:26:48 +0100
User-agent: Mutt/1.5.21 (2010-09-15)


On Thu, Jan 02, 2014 at 02:53:16PM -0700, Bob Proulx wrote:
> There is a checkbox on the login.php page.
>   [x] Stay in secure (https) mode after login
> The presented form may be accessed by either http or https.  It
> defaults to checked which is good.  The form submit action is always
> to an https URL which is also good.  But then regardless of the
> setting of that checkbox the result is always https even if the
> checkbox is not checked.  This is also good.
> I think this question is now obsolete and should be removed.  I think
> it became obsolete when the form POST action switched to https.
> (Which was a very good thing.)  Since this code was written there has
> been a big movement to make the web more secure.  I think this is just
> a leftover from the old days.
> I will investigate a little more but I plan on removing that checkbox.
> I don't believe this will have any user visible effects.

To me this is a bug.

I also noted in a recent work environment that https was way more
restricted (proxy *whitelist* only) than plain http, so in some cases,
people may want to stay in plain http.

There may be a conflict between the choice of the checkbox and a)
HTTPSEverywhere plugin and/or b) a previous Savane cookie requesting
to switch to https.

Cheers and happy GNU year!


reply via email to

[Prev in Thread] Current Thread [Next in Thread]