Load login page over HTTPS if FORCE_SSL_LOGIN is set
|Reported by:||barry||Owned by:|
|Cc:||johnbillion, knut@…, erick@…, joseph@…, j@…|
Currently, if FORCE_SSL_LOGIN is set, we will make the HTTP POST request containing the username and password over SSL when logging in, but not the GET request for the login page. Users shouldn't have to examine HTML to figure out if their password is being sent in plain text. To ensure user confidence that they are logging in via an encrypted connection, we should redirect requests for the login page to https:// if FORCE_SSL_LOGIN, not only if FORCE_SSL_ADMIN is set. Troy Hunt explains the issue well in his post here - http://www.troyhunt.com/2011/01/ssl-is-not-about-encryption.html
While FORCE_SSL_ADMIN is obviously "best" it is not always possible or practical, but this at least makes the login experience consistent.
Change History (11)
- Component changed from General to Security
- Milestone changed from Awaiting Review to 3.7