[p2pu-dev] Question about the https change

Jessy Kate Schingler jessy at jessykate.com
Wed Apr 18 15:49:39 UTC 2012


I confirm the login persistence issue fwiw...
On Apr 18, 2012 8:12 AM, "Jos Flores" <josmasflores at gmail.com> wrote:

> Hey Zuzel,
>
> it would be a good idea to ask for password again if you want to
> change it (or change your email).
>
> No one seems to be complaining about speed so I guess a full https
> session is not as much of an issue as I thought. The only problem is
> the login... would it be useful to redirect everything to https? in
> that case the login issue should go?
>
> cheers,
> José
>
>
> On 15 April 2012 23:24, zuzel.vp <zuzel.vp at gmail.com> wrote:
> > Having the login under https without using secure cookies (the use of
> secure
> > cookies is the cause the user can not be logged in under http) could
> give a
> > false sense of security to the users when it will be possible for the
> > session to be hijacked (http://en.wikipedia.org/wiki/Session_hijacking)
> when
> > they switch back to http. That will be my main concern for not using
> secure
> > cookies. Having said that, if requiring https for the whole session is
> not
> > acceptable, then I will recommend we require re-typing the password (and
> > https) for pages like edit password and change email. We will also need
> to
> > check which pages of the site are displaying users' email to the
> > authenticated users (e.g., sending badges to the obi is probably doing
> this
> > because the user needs to login to browser id with the same email in
> order
> > for the badges to be sent to the OBI). This will not protect private
> > information like the p2pu inbox emails and the non-public info on signup
> > answers but will at least secure users password (useful if they are using
> > the same password in another site) and their emails.
> >
> > --
> > Thanks,
> >     Zuzel
> >
> > On Fri, Apr 13, 2012 at 12:29 PM, Jos Flores <josmasflores at gmail.com>
> wrote:
> >>
> >> Hey guys, is all the site now running under https?
> >> If so, would it make things slower and generate more load on the server?
> >>
> >> We are seeing some side effects:
> >> http://help.p2pu.org/discussions/problems/170-cannot-stay-logged-in
> >>
> >> I'm sure you guys have a good reason to change to a secure connection
> >> but wouldn't protecting the login page be enough?
> >>
> >> Here's a piece of middleware (I haven't tested!) that passes the
> >> cookie back to http after secure login:
> >>
> >>
> http://stackoverflow.com/questions/2799450/django-https-for-just-login-page
> >>
> >> Has drawbacks but I think we could live with them? any thoughts?
> >>
> >> I realise that a lot of work has gone into this
> >>
> >> (
> http://p2pu.lighthouseapp.com/projects/71002/tickets/529-settup-https-on-newp2puorg#ticket-529-34
> )
> >> so apologies for being a pain in the neck and bringing this up this
> >> late!
> >>
> >> cheers,
> >> José
> >> _______________________________________________
> >> p2pu-dev mailing list
> >> p2pu-dev at lists.p2pu.org
> >> http://lists.p2pu.org/mailman/listinfo/p2pu-dev
> >
> >
> >
> > _______________________________________________
> > p2pu-dev mailing list
> > p2pu-dev at lists.p2pu.org
> > http://lists.p2pu.org/mailman/listinfo/p2pu-dev
> >
> _______________________________________________
> p2pu-dev mailing list
> p2pu-dev at lists.p2pu.org
> http://lists.p2pu.org/mailman/listinfo/p2pu-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.p2pu.org/pipermail/p2pu-dev/attachments/20120418/3f7b357e/attachment-0001.html>


More information about the p2pu-dev mailing list