[p2pu-dev] Question about the https change
zuzel.vp
zuzel.vp at gmail.com
Sun Apr 15 22:24:01 UTC 2012
Having the login under https without using secure cookies (the use of
secure cookies is the cause the user can not be logged in under http) could
give a false sense of security to the users when it will be possible for
the session to be hijacked (http://en.wikipedia.org/wiki/Session_hijacking)
when they switch back to http. That will be my main concern for not using
secure cookies. Having said that, if requiring https for the whole session
is not acceptable, then I will recommend we require re-typing the password
(and https) for pages like edit password and change email. We will also
need to check which pages of the site are displaying users' email to the
authenticated users (e.g., sending badges to the obi is probably doing this
because the user needs to login to browser id with the same email in order
for the badges to be sent to the OBI). This will not protect private
information like the p2pu inbox emails and the non-public info on signup
answers but will at least secure users password (useful if they are using
the same password in another site) and their emails.
--
Thanks,
Zuzel
On Fri, Apr 13, 2012 at 12:29 PM, Jos Flores <josmasflores at gmail.com> wrote:
> Hey guys, is all the site now running under https?
> If so, would it make things slower and generate more load on the server?
>
> We are seeing some side effects:
> http://help.p2pu.org/discussions/problems/170-cannot-stay-logged-in
>
> I'm sure you guys have a good reason to change to a secure connection
> but wouldn't protecting the login page be enough?
>
> Here's a piece of middleware (I haven't tested!) that passes the
> cookie back to http after secure login:
> http://stackoverflow.com/questions/2799450/django-https-for-just-login-page
>
> Has drawbacks but I think we could live with them? any thoughts?
>
> I realise that a lot of work has gone into this
> (
> http://p2pu.lighthouseapp.com/projects/71002/tickets/529-settup-https-on-newp2puorg#ticket-529-34
> )
> so apologies for being a pain in the neck and bringing this up this
> late!
>
> cheers,
> José
> _______________________________________________
> p2pu-dev mailing list
> p2pu-dev at lists.p2pu.org
> http://lists.p2pu.org/mailman/listinfo/p2pu-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.p2pu.org/pipermail/p2pu-dev/attachments/20120415/299fd496/attachment.html>
More information about the p2pu-dev
mailing list