Jump to content

Community

Eduardo Bautista

Why does IP.Board only support https for the login page?

Recommended Posts


Shouldn't it be on every page when you are logged in? I can still steal someone's cookie information if I really wanted to if it's not from an https.


You can enable it JUST for the login page, OR for the entire site. Some people find it more convenient to enable it for the login page only.

Share this post


Link to post
Share on other sites

You can use HTTPS for everything by changing your board's URL. We added a setting to force HTTPS for logins because that's when more security might be needed than a typical http session. Sending everything over HTTPS is slower and requires more bandwidth but it's supported. :)

Share this post


Link to post
Share on other sites

I can still steal someone's cookie information if I really wanted to if it's not from an https.


For what it's worth... no you can't. Not unless you have intentionally loosened IP.Board's security settings to allow that to be accomplished. For one thing, the session cookies are HttpOnly, so they can't be accessed by Javascript at all.

Share this post


Link to post
Share on other sites

Honestly though, I would find the setting so much more useful if IPS gave us more freedom to specify it for an APP for URL Structure... Example, Having it in the Nexus or Subscriptions APP would be perfect. I know that i could do this manually however it would be really nice if you guys went into that direction for this specific setting... seeing as how not many will use it for login but surely for something else.

Share this post


Link to post
Share on other sites

Honestly though, I would find the setting so much more useful if IPS gave us more freedom to specify it for an APP for URL Structure... Example, Having it in the Nexus or Subscriptions APP would be perfect. I know that i could do this manually however it would be really nice if you guys went into that direction for this specific setting... seeing as how not many will use it for login but surely for something else.




Nexus has it's own setting to enable https on appropriate pages.

Share this post


Link to post
Share on other sites

If you could steal someone's cookie that easily we would have rather large problems on the web :smile:


Well, this is mostly a problem on public wifi hotspots. I didn't mean stealing the cookie from someone using a different internet connection.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

We use technologies, such as cookies, to customise content and advertising, to provide social media features and to analyse traffic to the site. We also share information about your use of our site with our trusted social media, advertising and analytics partners. See more about cookies and our Privacy Policy