Forum - http, login - https

skarlcf

It's possible in Vanilla? I fight with code, but... - Redirect from http to https - works. - Authentication - works. - Come back from https to https - works. - PROBLEM - here (I think) appear problem with cookies or sessions vars. Any idea how to resolve this problem without big changes in Vanilla Authenticator?

Dinoboff

I guess you have to set the secure cookie parameters to false using session_set_cookie_params for the session cookie and setcookie.

Dinoboff

That shouldn't be much of an issue for a forum... but using https for login and http for the rest will protect the password but not the session cookie; the cookie can still be easily intercepted and used to hijack your user accounts.

Public Wi-Fi even more insecure than previously thought.

skarlcf

Yes, you are right. But for me passwords are important, because some users might use the same password in several places. Dinoboff, could you help me with source example?

WallPhone

I believe the way this is handled (in yahoo mail, at least) is to pass the session data while in HTTPS to HTTP through a random key parameter in the URL that links the session data in the server.

Personally, I would do a second redirect to remove the random key from the address bar.

Speaking of Yahoo, they used to use a hash method that would workfor those without HTTPS certificates. Use a client-side md5 hash of the plaintext password hashed with some other random token.

Then the server validates that that is a valid FormPostBackKey, and hashes it with the already hashed value in the database.

example code (php .zip)

Dinoboff

After changing the action attribute of the login form for a secure url, I don't see any problem with the session or "remember me" cookie.

What exactly is your problem?