[p2pu-dev] Question about the https change

Wed Apr 18 17:25:48 UTC 2012

+1 full https, but only if there's not a way to fix the session issue
without it.
--
contact info:
http://www.johndbritton.com
@johndbritton - http://twitter.com/johndbritton

On Wed, Apr 18, 2012 at 4:49 PM, Jessy Kate Schingler
<jessy at jessykate.com>wrote:

> I confirm the login persistence issue fwiw...
> On Apr 18, 2012 8:12 AM, "Jos Flores" <josmasflores at gmail.com> wrote:
>
>> Hey Zuzel,
>>
>> it would be a good idea to ask for password again if you want to
>> change it (or change your email).
>>
>> No one seems to be complaining about speed so I guess a full https
>> session is not as much of an issue as I thought. The only problem is
>> the login... would it be useful to redirect everything to https? in
>> that case the login issue should go?
>>
>> cheers,
>> José
>>
>>
>> On 15 April 2012 23:24, zuzel.vp <zuzel.vp at gmail.com> wrote:
>> > Having the login under https without using secure cookies (the use of
>> secure
>> > cookies is the cause the user can not be logged in under http) could
>> give a
>> > false sense of security to the users when it will be possible for the
>> > session to be hijacked (http://en.wikipedia.org/wiki/Session_hijacking)
>> when
>> > they switch back to http. That will be my main concern for not using
>> secure
>> > cookies. Having said that, if requiring https for the whole session is
>> not
>> > acceptable, then I will recommend we require re-typing the password (and
>> > https) for pages like edit password and change email. We will also need
>> to
>> > check which pages of the site are displaying users' email to the
>> > authenticated users (e.g., sending badges to the obi is probably doing
>> this
>> > because the user needs to login to browser id with the same email in
>> order
>> > for the badges to be sent to the OBI). This will not protect private
>> > information like the p2pu inbox emails and the non-public info on signup
>> > answers but will at least secure users password (useful if they are
>> using
>> > the same password in another site) and their emails.
>> >
>> > --
>> > Thanks,
>> >     Zuzel
>> >
>> > On Fri, Apr 13, 2012 at 12:29 PM, Jos Flores <josmasflores at gmail.com>
>> wrote:
>> >>
>> >> Hey guys, is all the site now running under https?
>> >> If so, would it make things slower and generate more load on the
>> server?
>> >>
>> >> We are seeing some side effects:
>> >> http://help.p2pu.org/discussions/problems/170-cannot-stay-logged-in
>> >>
>> >> I'm sure you guys have a good reason to change to a secure connection
>> >> but wouldn't protecting the login page be enough?
>> >>
>> >> Here's a piece of middleware (I haven't tested!) that passes the
>> >> cookie back to http after secure login:
>> >>
>> >>
>> http://stackoverflow.com/questions/2799450/django-https-for-just-login-page
>> >>
>> >> Has drawbacks but I think we could live with them? any thoughts?
>> >>
>> >> I realise that a lot of work has gone into this
>> >>
>> >> (
>> http://p2pu.lighthouseapp.com/projects/71002/tickets/529-settup-https-on-newp2puorg#ticket-529-34
>> )
>> >> so apologies for being a pain in the neck and bringing this up this
>> >> late!
>> >>
>> >> cheers,
>> >> José
>> >> _______________________________________________
>> >> p2pu-dev mailing list
>> >> p2pu-dev at lists.p2pu.org
>> >> http://lists.p2pu.org/mailman/listinfo/p2pu-dev
>> >
>> >
>> >
>> > _______________________________________________
>> > p2pu-dev mailing list
>> > p2pu-dev at lists.p2pu.org
>> > http://lists.p2pu.org/mailman/listinfo/p2pu-dev
>> >
>> _______________________________________________
>> p2pu-dev mailing list
>> p2pu-dev at lists.p2pu.org
>> http://lists.p2pu.org/mailman/listinfo/p2pu-dev
>>
>
> _______________________________________________
> p2pu-dev mailing list
> p2pu-dev at lists.p2pu.org
> http://lists.p2pu.org/mailman/listinfo/p2pu-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.p2pu.org/pipermail/p2pu-dev/attachments/20120418/fa8048a9/attachment.html>