Which page to secure for login?
Permalink Browser Info Environment
I tried it out and it works great, and EASY.
My question now is what is the proper pages to place it on to have the security I expect on Login? Using the Login addon. Do I set the Force SSL on the page with the Login block, the page called by the Login block or both?
My question now is what is the proper pages to place it on to have the security I expect on Login? Using the Login addon. Do I set the Force SSL on the page with the Login block, the page called by the Login block or both?
Type: | Discussion |
---|---|
Status: | New |
Did you ever get an answer to this as i am looking to do the same?
No, I did not. Would be nice to know.
Hi guys, my apologies for not getting back to you sooner on this.
The short answer is probably both - but let me explain the process so you can understand how this works.
If you have a page with a form on it and you want the post to be secure, it must post to a secure address. The protocol of the page holding the form does not matter, but the form's action must be to an https address.
However, if you are using the login addon, you may not have control over the form action to change it from using the current protocol to https. This would result in a post to an insecure address, followed by a redirect to the same page using https, also resulting in the loss of your post data.
So, if you secure the page that contains the form, in addition to the page you post to, your login addon should post to the current https protocol. This ensures your post data is encrypted, removes the additional redirect and has the added benefit of showing your users a secure page while they are actually entering their details. Never a bad thing :)
I hope that makes it all clearer...
Jon
The short answer is probably both - but let me explain the process so you can understand how this works.
If you have a page with a form on it and you want the post to be secure, it must post to a secure address. The protocol of the page holding the form does not matter, but the form's action must be to an https address.
However, if you are using the login addon, you may not have control over the form action to change it from using the current protocol to https. This would result in a post to an insecure address, followed by a redirect to the same page using https, also resulting in the loss of your post data.
So, if you secure the page that contains the form, in addition to the page you post to, your login addon should post to the current https protocol. This ensures your post data is encrypted, removes the additional redirect and has the added benefit of showing your users a secure page while they are actually entering their details. Never a bad thing :)
I hope that makes it all clearer...
Jon