Does Using Secure Pages (SSL) with SMF Make Sense?

Started by DanCarroll, March 03, 2012, 06:58:43 AM

Previous topic - Next topic

DanCarroll

I am considering the use of secure pages within the SMF environment to secure access to a database. Is there any reason not to consider this as an option? Is there any part of the SMF environment that secure pages won't inter-operate with?

Looking for feed back on the subject of secure pages under SMF. I don't wish to 'break' anything and am anticipating the client broaching the subject of security. I am deep into a database project for this client and have been relying on the innate security already built into SMF. I have no guest access on this particular system.

Thank you for any and all of your ideas and comments.

Roph

SMF will work fine in an SSL environment. Be sure to enable secure cookies under Server Settings -> Cookies & Sessions if you go that route. You should be aware that running all pages secure will put more load on your server.

DanCarroll

Thank you Roph, I am not ready to start using them yet, just checking into options. Would have to get a certificate and set it up with the hosting company. Should not be a problem with the server load. Have less than 50 users at present with no more than 12 online at the same time.

I should check into the SMF permissions and figure out how to integrate it into my code. So, thank you again. Time to get back to work for me. :D

MrPhil

Keep in mind that SSL only encrypts traffic between the browser and server (both ways). The text is still in the clear on the server itself and in the database, if you were counting on it being protected there. Depending on the subject matter being discussed, it is possible that regulations (e.g., HIPAA for U.S. medical discussions, or anything containing credit card or other sensitive personal information) may require that the database be encrypted too.

SMF would be much improved if it had a separate login page that could (optionally) be put under SSL, while leaving the rest of the forum non-SSL. However, the powers that be have decided never to do this.

DanCarroll

#4
Never is an awful long time. Guess that could be a mod.  :laugh:

Advertisement: