News:

Wondering if this will always be free?  See why free is better.

Main Menu

Secure login?

Started by razors edge, November 27, 2011, 09:32:57 AM

Previous topic - Next topic

MrPhil

If you happen to have SSL on your site for other purposes (e.g., a store), it would be wonderful to be able to tell SMF to use SSL-protected pages or popups for login, password changes, filling in personal data such as email addresses, etc. It would also be good to be able to run the entire forum under SSL, as we keep getting requests to do. Alas, every time I suggest this optional use of SSL, the response is "No, because we don't want to force forum owners to pay for SSL".

ziycon

Without me reading up on the history, whats the reason https doesn't work?

Kindred

https works just fine

--- IF --- you set the entire site to https.

What they are asking for is to just make the logins and admin checks https....
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

MrPhil

The biggest problem is sorting out and coordinating all the various links on a page so that you don't get warnings about mixing insecure content with your secure page. Ad content and other links to external sites, where you have to explicitly give http: or https:, is a tough nut to crack. Other than that, it's pretty straightforward.

Kindred

well, not quite...

what would need to be https?

login...
but there are several login triggers/locations... including the bottom of every page....

what about password changes?
Admin verification/password checks?
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

ziycon

Adding just areas would that not fall under server config to tell your web server to only secure certain areas!?

MrPhil

I haven't heard of securing only parts of a screen (e.g., a login form), though I suppose that might be possible (form action https: on an otherwise http: page?). The usual practice is to have the entire page (or popup?) under SSL (or not). To avoid ugly browser warnings, you can't mix http: and https: on the same https: page.

Being able to log in securely (as well as do things like change passwords and otherwise handle sensitive information) would make a lot of forum owners very happy, so I don't know why the developers are so adamantly against it.

Let me repeat: using SSL would be OPTIONAL (choice of the forum owner), not mandatory for all SMF installations. If you want to spring for SSL just for SMF, that's your business. If you happen to have it already, why not be able to use it?

Kindred

MrPhil,

I would not say the developers are "adamantly against it". I have not seen our developers speak out for or against it...

I'd more say that
a) it is actually much more complicated than it first appears
and
b) either none of the current developers on the team have looked into it or perhaps are not interested in coding it.


However, since our GitHub codebase is publically availble and anyone can submit pull requests and code changes, -- if someone is truly interested in this and willing to contribute time and/or development effort to the update, they can do so quite easily.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Storman™

Can't help thinking that if someone was really paranoid about having their password intercepted by a "sniffer" then use a secure VPN instead, it would be much easier to implement.

If your content is "that" sensitive then maybe you should be thinking about a more appropriate product.

Personally I've never had a request from a member requesting a secure SSL login.

ziycon


Storman™


Advertisement: