Opened 7 months ago
Last modified 6 months ago
#22283 new enhancement
Load login page over HTTPS if FORCE_SSL_LOGIN is set
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | Awaiting Review |
| Component: | General | Version: | |
| Severity: | normal | Keywords: | |
| Cc: | johnbillion, knut@… |
Description
Currently, if FORCE_SSL_LOGIN is set, we will make the HTTP POST request containing the username and password over SSL when logging in, but not the GET request for the login page. Users shouldn't have to examine HTML to figure out if their password is being sent in plain text. To ensure user confidence that they are logging in via an encrypted connection, we should redirect requests for the login page to https:// if FORCE_SSL_LOGIN, not only if FORCE_SSL_ADMIN is set. Troy Hunt explains the issue well in his post here - http://www.troyhunt.com/2011/01/ssl-is-not-about-encryption.html
While FORCE_SSL_ADMIN is obviously "best" it is not always possible or practical, but this at least makes the login experience consistent.
ryan and I have talked about this before. The problem, from what I recall, is that when SSL login is forced but not admin, we evaluate the user's original request — http or https — to decide which admin they get. But looking at the code, I'm not entirely sure that's the case. I might be recalling it wrong.