[p2pu-dev] Question about the https change

VampB vampireb at gmail.com
Thu Apr 19 02:20:32 UTC 2012


I think the question is how sensitive are all the information in an user's
session? I am guessing it's only the password and maybe the email address.
Maybe we can make full https optional like Facebook and Twitter are doing
and only mandatory for login and donation?

On Wed, Apr 18, 2012 at 1:25 PM, John Britton <john at p2pu.org> wrote:

> +1 full https, but only if there's not a way to fix the session issue
> without it.
> --
> contact info:
> http://www.johndbritton.com
> @johndbritton - http://twitter.com/johndbritton
>
>
>
> On Wed, Apr 18, 2012 at 4:49 PM, Jessy Kate Schingler <jessy at jessykate.com
> > wrote:
>
>> I confirm the login persistence issue fwiw...
>> On Apr 18, 2012 8:12 AM, "Jos Flores" <josmasflores at gmail.com> wrote:
>>
>>> Hey Zuzel,
>>>
>>> it would be a good idea to ask for password again if you want to
>>> change it (or change your email).
>>>
>>> No one seems to be complaining about speed so I guess a full https
>>> session is not as much of an issue as I thought. The only problem is
>>> the login... would it be useful to redirect everything to https? in
>>> that case the login issue should go?
>>>
>>> cheers,
>>> José
>>>
>>>
>>> On 15 April 2012 23:24, zuzel.vp <zuzel.vp at gmail.com> wrote:
>>> > Having the login under https without using secure cookies (the use of
>>> secure
>>> > cookies is the cause the user can not be logged in under http) could
>>> give a
>>> > false sense of security to the users when it will be possible for the
>>> > session to be hijacked (http://en.wikipedia.org/wiki/Session_hijacking)
>>> when
>>> > they switch back to http. That will be my main concern for not using
>>> secure
>>> > cookies. Having said that, if requiring https for the whole session is
>>> not
>>> > acceptable, then I will recommend we require re-typing the password
>>> (and
>>> > https) for pages like edit password and change email. We will also
>>> need to
>>> > check which pages of the site are displaying users' email to the
>>> > authenticated users (e.g., sending badges to the obi is probably doing
>>> this
>>> > because the user needs to login to browser id with the same email in
>>> order
>>> > for the badges to be sent to the OBI). This will not protect private
>>> > information like the p2pu inbox emails and the non-public info on
>>> signup
>>> > answers but will at least secure users password (useful if they are
>>> using
>>> > the same password in another site) and their emails.
>>> >
>>> > --
>>> > Thanks,
>>> >     Zuzel
>>> >
>>> > On Fri, Apr 13, 2012 at 12:29 PM, Jos Flores <josmasflores at gmail.com>
>>> wrote:
>>> >>
>>> >> Hey guys, is all the site now running under https?
>>> >> If so, would it make things slower and generate more load on the
>>> server?
>>> >>
>>> >> We are seeing some side effects:
>>> >> http://help.p2pu.org/discussions/problems/170-cannot-stay-logged-in
>>> >>
>>> >> I'm sure you guys have a good reason to change to a secure connection
>>> >> but wouldn't protecting the login page be enough?
>>> >>
>>> >> Here's a piece of middleware (I haven't tested!) that passes the
>>> >> cookie back to http after secure login:
>>> >>
>>> >>
>>> http://stackoverflow.com/questions/2799450/django-https-for-just-login-page
>>> >>
>>> >> Has drawbacks but I think we could live with them? any thoughts?
>>> >>
>>> >> I realise that a lot of work has gone into this
>>> >>
>>> >> (
>>> http://p2pu.lighthouseapp.com/projects/71002/tickets/529-settup-https-on-newp2puorg#ticket-529-34
>>> )
>>> >> so apologies for being a pain in the neck and bringing this up this
>>> >> late!
>>> >>
>>> >> cheers,
>>> >> José
>>> >> _______________________________________________
>>> >> p2pu-dev mailing list
>>> >> p2pu-dev at lists.p2pu.org
>>> >> http://lists.p2pu.org/mailman/listinfo/p2pu-dev
>>> >
>>> >
>>> >
>>> > _______________________________________________
>>> > p2pu-dev mailing list
>>> > p2pu-dev at lists.p2pu.org
>>> > http://lists.p2pu.org/mailman/listinfo/p2pu-dev
>>> >
>>> _______________________________________________
>>> p2pu-dev mailing list
>>> p2pu-dev at lists.p2pu.org
>>> http://lists.p2pu.org/mailman/listinfo/p2pu-dev
>>>
>>
>> _______________________________________________
>> p2pu-dev mailing list
>> p2pu-dev at lists.p2pu.org
>> http://lists.p2pu.org/mailman/listinfo/p2pu-dev
>>
>>
>
> _______________________________________________
> p2pu-dev mailing list
> p2pu-dev at lists.p2pu.org
> http://lists.p2pu.org/mailman/listinfo/p2pu-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.p2pu.org/pipermail/p2pu-dev/attachments/20120418/3a6dc061/attachment-0001.html>


More information about the p2pu-dev mailing list