[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Savannah-hackers-public] Stay in https after login?

From: Sylvain
Subject: Re: [Savannah-hackers-public] Stay in https after login?
Date: Sun, 5 Jan 2014 23:18:05 +0100
User-agent: Mutt/1.5.21 (2010-09-15)

On Fri, Jan 03, 2014 at 03:18:02PM -0700, Bob Proulx wrote:
> Sylvain wrote:
> > Bob Proulx wrote:
> > > > To me this is a bug.
> > > 
> > > Which part of it?  There were several things mentioned.
> > 
> > The only non-sensible one : that _un_checking 'stay in https' stays in
> > https nonetheless.
> Well...  That technically may be a bug but it is one of those bugs
> that would never be noticed.  Because with the previous push to https
> that is generally what we want it to do.
> It would be worse if it failed the other direction and when https was
> desired it kicked the user back to http.  That way would be the bad
> case.  I am sure that would have been noticed.
> However you had said the need case was for a site that restricts
> access to all but a whitelisted set of domains and was not in
> that whitelist.  In such an environment savannah would need to *never*
> access https in order to allow a login.  That is different
> functionality than switching from https to http after login.  Even if
> the switch from http-to-https worked the restricted site would not be
> able to log in due to the https block.  Therefore I don't see the
> utility of a switch back to http feature.  For your use case it would
> need to allow logging in using http which opens the security hole of
> sending passwords in clear text.
> At one time it was generally thought that if everyone used https that
> the encryption would load down a server.  That is why many sites
> logged in with https but then switched to http.  Then they would
> require an https login again before doing anything that required
> security.  But as time has gone by hardware has gotten faster and
> using https all of the time is now generally thought not to be a
> server load concern.  The https is currently required and frontend
> hasn't been suffering load problems.

Agreed on all points.

> (vcs has but that is a different
> server.)

Physically different?

> > But actually it's not a bug : this checkbox creates a cookie that make
> > the browser auto-switch to https when they open
> > Unchecking the box does not set that cookie.
> Are you saying that you can make this switch back to http for you?  I
> can't.  It always stays in https from my testing.

No, disabling the checkbox makes it _not_ switch to https when you
manually type an URL.

This is configured with a cookie named 'redirect_to_https', not set if
the checkbox is unchecked.

Agreed with getting rid of it.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]