Switch to https for sign in and sign up #71
Comments
|
Interesting. I think it would be even better to serve the whole site over HTTPS, otherwise it’s vulnerable to session hijacking if someone can intercept the traffic. The main security advantage of serving the login page over HTTP, assuming the rest of the site (including session cookies) is transmitted in the clear, is that it prevents the plain text password being intercepted. If the user has reused a password that they also use on other sites, that could be a problem But if you’re setting up SSL anyway, why not just serve the whole site over HTTPS? It’s simpler to deploy, as well as more secure. |
Closed
|
👍 on serving the whole site over https |
|
Alaveteli now has support and instructions for running entire site over SSL/TLS. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently authentication and sign up data are sent in plain text. To improve security, authentication and sign up data should be transmitted in encrypted form.
Note: SSL certificate needs to be purchased for each alaveteli implementation.
The text was updated successfully, but these errors were encountered: