Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Forum - http, login - https

edited August 2007 in Vanilla 1.0 Help
It's possible in Vanilla? I fight with code, but... - Redirect from http to https - works. - Authentication - works. - Come back from https to https - works. - PROBLEM - here (I think) appear problem with cookies or sessions vars. Any idea how to resolve this problem without big changes in Vanilla Authenticator?


  • Options
    I guess you have to set the secure cookie parameters to false using session_set_cookie_params for the session cookie and setcookie.
  • Options
    That shouldn't be much of an issue for a forum... but using https for login and http for the rest will protect the password but not the session cookie; the cookie can still be easily intercepted and used to hijack your user accounts.

    Public Wi-Fi even more insecure than previously thought.
  • Options
    Yes, you are right. But for me passwords are important, because some users might use the same password in several places. Dinoboff, could you help me with source example?
  • Options
    edited August 2007
    I believe the way this is handled (in yahoo mail, at least) is to pass the session data while in HTTPS to HTTP through a random key parameter in the URL that links the session data in the server.

    Personally, I would do a second redirect to remove the random key from the address bar.

    Speaking of Yahoo, they used to use a hash method that would workfor those without HTTPS certificates. Use a client-side md5 hash of the plaintext password hashed with some other random token.

    Then the server validates that that is a valid FormPostBackKey, and hashes it with the already hashed value in the database.

    example code (php .zip)
  • Options
    After changing the action attribute of the login form for a secure url, I don't see any problem with the session or "remember me" cookie.

    What exactly is your problem?
This discussion has been closed.