Invision Community 4: SEO, prepare for v5 and dormant account notifications Matt November 11, 2024Nov 11
Posted August 1, 201212 yr Shouldn't it be on every page when you are logged in? I can still steal someone's cookie information if I really wanted to if it's not from an https.
August 1, 201212 yr Shouldn't it be on every page when you are logged in? I can still steal someone's cookie information if I really wanted to if it's not from an https.You can enable it JUST for the login page, OR for the entire site. Some people find it more convenient to enable it for the login page only.
August 1, 201212 yr You can use HTTPS for everything by changing your board's URL. We added a setting to force HTTPS for logins because that's when more security might be needed than a typical http session. Sending everything over HTTPS is slower and requires more bandwidth but it's supported. :)
August 1, 201212 yr I can still steal someone's cookie information if I really wanted to if it's not from an https. For what it's worth... no you can't. Not unless you have intentionally loosened IP.Board's security settings to allow that to be accomplished. For one thing, the session cookies are HttpOnly, so they can't be accessed by Javascript at all.
August 2, 201212 yr Honestly though, I would find the setting so much more useful if IPS gave us more freedom to specify it for an APP for URL Structure... Example, Having it in the Nexus or Subscriptions APP would be perfect. I know that i could do this manually however it would be really nice if you guys went into that direction for this specific setting... seeing as how not many will use it for login but surely for something else.
August 2, 201212 yr Honestly though, I would find the setting so much more useful if IPS gave us more freedom to specify it for an APP for URL Structure... Example, Having it in the Nexus or Subscriptions APP would be perfect. I know that i could do this manually however it would be really nice if you guys went into that direction for this specific setting... seeing as how not many will use it for login but surely for something else. Nexus has it's own setting to enable https on appropriate pages.
August 2, 201212 yr Management If you could steal someone's cookie that easily we would have rather large problems on the web :)
August 5, 201212 yr Author If you could steal someone's cookie that easily we would have rather large problems on the web :smile:Well, this is mostly a problem on public wifi hotspots. I didn't mean stealing the cookie from someone using a different internet connection.
Archived
This topic is now archived and is closed to further replies.