Feature Request: Secure RSS

[alpine]

The ability to have an RSS with https/SSL and/or password protection that uses the IPB database.

[bfarber]

The problem is most feed readers don't support password authentication.

And for https, the whole site has to go under https - if you do make this switch, the RSS will also go over https.

[Insideout]

You could just set it on or off, if you use the board over ssl or not.

[Mat Barrie]

You don't do anything to use the board over SSL. Simply drop it into a Web Root, and have Apache (or IIS, or Lighttpd, or whatever) bind that site as an SSL site. No IPB configuration needed. So, I'm not sure why you want them to add an option to IPB that by it's very nature can't do anything about it.

[DyCyn]

Secure RSS would be great, as the feature is not usable for me at the moment.

Just have the RSS link generated with a hash of the password. They'd need a new link whenever they changed their passwords, but it would work.

[alpine]

Well some form of security would be very useful when it comes to a public/internal site.

[Arts&Faith]

+1 on authenticated RSS. The readers and sites I use support it. Even so, as an option, that wouldn't constrain people who don't want to use it.

[DyCyn]

I have many hidden forums - an obvious example would be the administrators forum. If I were to enable RSS on that forum, any member could potentially read posts. If it checked my user account, and checked the permissions, then it would make the RSS feature usable.

[bfarber]

I have many hidden forums - an obvious example would be the administrators forum. If I were to enable RSS on that forum, any member could potentially read posts. If it checked my user account, and checked the permissions, then it would make the RSS feature usable.

That's easy to say, but how would a feed reader check your user account? A feed reader isn't going to have access to your cookies, for example...

[Matt]

We could go the google calendar's route and allow one to set up 'private' RSS feeds vai obfuscation.

index.php?rssid=1&key=ej3e8j3e83jhj8ji3jerjf

This would allow the creator to know the key, but not anyone else.

[stobbo]

We could go the google calendar's route and allow one to set up 'private' RSS feeds vai obfuscation.

This would allow the creator to know the key, but not anyone else.

I think that would be best, more secure, and more cross compatible :)

[DyCyn]

That's easy to say, but how would a feed reader check your user account? A feed reader isn't going to have access to your cookies, for example...

Yep, as I posted earlier (and as Matt has pointed out), a link with some sort of password hash or key would work. I forgot that Google calendar does it as well - activeCollab, a project management system, also uses this method.

I had used a similar method with 2.1 and IPBSDK to produce secure feeds. Would be great if it became a feature though :).

[Luke]

An idea I have is to create a random hash:

md5( uniqid( microtime() ) )

And save one for every member. That would be the "rss access key" that would automatically be appended to the end of the rss url. If the rss key is invalid or one isn't provided it would just assume it's a guest. If it is valid load up the forum permissions and apply them. Then in AdminCP you could reset an rss access key per member if you needed to.

[VelvetElvis]

Something that I've never seen in web forum software is support for public key encryption, for both posts and PMs. If you're going to encrypt RSS, how much harder would it be optionally encrypt everything? That would be awesome even as a paid addon.