Invision Community 4: SEO, prepare for v5 and dormant account notifications By Matt November 11, 2024
Eduardo Bautista Posted August 1, 2012 Posted August 1, 2012 Shouldn't it be on every page when you are logged in? I can still steal someone's cookie information if I really wanted to if it's not from an https.
Mikey B Posted August 1, 2012 Posted August 1, 2012 Shouldn't it be on every page when you are logged in? I can still steal someone's cookie information if I really wanted to if it's not from an https.You can enable it JUST for the login page, OR for the entire site. Some people find it more convenient to enable it for the login page only.
Collin S. Posted August 1, 2012 Posted August 1, 2012 You can use HTTPS for everything by changing your board's URL. We added a setting to force HTTPS for logins because that's when more security might be needed than a typical http session. Sending everything over HTTPS is slower and requires more bandwidth but it's supported. :)
Ryan H. Posted August 1, 2012 Posted August 1, 2012 I can still steal someone's cookie information if I really wanted to if it's not from an https. For what it's worth... no you can't. Not unless you have intentionally loosened IP.Board's security settings to allow that to be accomplished. For one thing, the session cookies are HttpOnly, so they can't be accessed by Javascript at all.
Nevo Posted August 2, 2012 Posted August 2, 2012 Honestly though, I would find the setting so much more useful if IPS gave us more freedom to specify it for an APP for URL Structure... Example, Having it in the Nexus or Subscriptions APP would be perfect. I know that i could do this manually however it would be really nice if you guys went into that direction for this specific setting... seeing as how not many will use it for login but surely for something else.
Mark Posted August 2, 2012 Posted August 2, 2012 Honestly though, I would find the setting so much more useful if IPS gave us more freedom to specify it for an APP for URL Structure... Example, Having it in the Nexus or Subscriptions APP would be perfect. I know that i could do this manually however it would be really nice if you guys went into that direction for this specific setting... seeing as how not many will use it for login but surely for something else. Nexus has it's own setting to enable https on appropriate pages.
Management Charles Posted August 2, 2012 Management Posted August 2, 2012 If you could steal someone's cookie that easily we would have rather large problems on the web :)
Eduardo Bautista Posted August 5, 2012 Author Posted August 5, 2012 If you could steal someone's cookie that easily we would have rather large problems on the web :smile:Well, this is mostly a problem on public wifi hotspots. I didn't mean stealing the cookie from someone using a different internet connection.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.