[p2pu-dev] Question about the https change

Jos Flores josmasflores at gmail.com
Wed Apr 18 15:12:39 UTC 2012


Hey Zuzel,

it would be a good idea to ask for password again if you want to
change it (or change your email).

No one seems to be complaining about speed so I guess a full https
session is not as much of an issue as I thought. The only problem is
the login... would it be useful to redirect everything to https? in
that case the login issue should go?

cheers,
José


On 15 April 2012 23:24, zuzel.vp <zuzel.vp at gmail.com> wrote:
> Having the login under https without using secure cookies (the use of secure
> cookies is the cause the user can not be logged in under http) could give a
> false sense of security to the users when it will be possible for the
> session to be hijacked (http://en.wikipedia.org/wiki/Session_hijacking) when
> they switch back to http. That will be my main concern for not using secure
> cookies. Having said that, if requiring https for the whole session is not
> acceptable, then I will recommend we require re-typing the password (and
> https) for pages like edit password and change email. We will also need to
> check which pages of the site are displaying users' email to the
> authenticated users (e.g., sending badges to the obi is probably doing this
> because the user needs to login to browser id with the same email in order
> for the badges to be sent to the OBI). This will not protect private
> information like the p2pu inbox emails and the non-public info on signup
> answers but will at least secure users password (useful if they are using
> the same password in another site) and their emails.
>
> --
> Thanks,
>     Zuzel
>
> On Fri, Apr 13, 2012 at 12:29 PM, Jos Flores <josmasflores at gmail.com> wrote:
>>
>> Hey guys, is all the site now running under https?
>> If so, would it make things slower and generate more load on the server?
>>
>> We are seeing some side effects:
>> http://help.p2pu.org/discussions/problems/170-cannot-stay-logged-in
>>
>> I'm sure you guys have a good reason to change to a secure connection
>> but wouldn't protecting the login page be enough?
>>
>> Here's a piece of middleware (I haven't tested!) that passes the
>> cookie back to http after secure login:
>>
>> http://stackoverflow.com/questions/2799450/django-https-for-just-login-page
>>
>> Has drawbacks but I think we could live with them? any thoughts?
>>
>> I realise that a lot of work has gone into this
>>
>> (http://p2pu.lighthouseapp.com/projects/71002/tickets/529-settup-https-on-newp2puorg#ticket-529-34)
>> so apologies for being a pain in the neck and bringing this up this
>> late!
>>
>> cheers,
>> José
>> _______________________________________________
>> p2pu-dev mailing list
>> p2pu-dev at lists.p2pu.org
>> http://lists.p2pu.org/mailman/listinfo/p2pu-dev
>
>
>
> _______________________________________________
> p2pu-dev mailing list
> p2pu-dev at lists.p2pu.org
> http://lists.p2pu.org/mailman/listinfo/p2pu-dev
>


More information about the p2pu-dev mailing list