Feature #3804
closed
Authentication over HTTPS
0%
Description
There should be global flag to indicate that login page should be served over HTTPS. As of now once can run whole application over either HTTP or HTTPS. Running everything over HTTPS is overkill and sending user credentials over HTTP is a security whole.
Related issues
Updated by Dipan Mehta over 11 years ago
I disagree!
There is no point in running only Login page in HTTPS and then let your session cookies visible to the rest of the world through HTTP only for some eavesdropper to hijack you once you logged in!
Everything should be HTTPS or HTTP only!
Updated by Go MAEDA almost 8 years ago
- Related to Feature #24763: Force SSL when Setting.protocol is "https" added
Updated by Go MAEDA 4 months ago
- Status changed from New to Closed
- Assignee set to Go MAEDA
- Resolution set to Wont fix
In the 15 years since this issue was created, it has become strongly recommended and virtually mandatory to serve all content over HTTPS. This practice is no longer considered "overkill".
Therefore, I believe there is no need to implement an option to enforce HTTPS only for the login page.