would it not be more secure to login with https?
(encription that protects data in transit )
It's common practice for sites to login with https (like yahoo, etc) and then after login redirect back to the http urls...
what all would need to be changed to do this?
you would need to purchase a SSL certificate
most site owners this is out of reach money wise
I maintain a SSL for my customer area, its $149/yr for
a 256bit SSL certificate
Thank you for the response.
it looks like i have access to one of these.. it's also a 256bit certificate
it says my "CSR Component is absent" i do have a "Private key" etc , (I will work on getting set up correctly) .
After it's set up: what next? do i need to make the login go to that folder?
note: i have a folder named "httpsdocs" made with Plesk.
I asume the login would go in that folder correct? - then once a person signs in - is it ok to keep them logged in and then direct them to let's say httpdocs/forum/index: or should the whole forum be inside the httpsdocs folder?
note: i will have digital products for sale - access would be based on "bord permision" membergroups -- ssi login - what all do i kneed to do to make at least the login https ?
while it's not a huge deal for extra security - it might be nice... (no sensitive info like credit cards or anything)
basic instructions Or even steering me in the right direction would be helpful.
thanks so much for any that can enlighten me.
The entire forum should probably be accessed https. I have seen many cookie/session issues across http and https myself. Yahoo and other companies compensate with the redirector URLs containing a one-time code that is then used to transfer the login session.
Take note, however, that your admin panel will probably scream at you that the SMF feeds are NOT secure. Beyond that, everything should work.
TY for the feed back. - :)
I'm not sure https is the way to go on this one (since there is no sensitive data) + doing some cross site scripting (3rd party site) .. that might make it more of a pain. Your RSS comment got me thinking...
It makes since that passing a login session from https to http would not be "as" secure.
Thanks again - for this project i think it would be overkill now that i think about it, and may just cause extra headaches. still good info.
There is a secure login mod http://custom.simplemachines.org/mods/index.php?mod=880
However SMF should only send a hash of the password on most modern browsers (with javascript) so there isn't really much of an issue.
TY for the heads up on the login mod. cool.
Thanks guys..