https: security for the forums is expired

Status
Not open for further replies.
Floyd R Turbo said:
I get what you're saying about the login being secure, but what I'm saying is that if you log in via an https link, and then after you are logged in you just go and change that link to http, that actually will log you out.

So unless I'm mistaken (absolutely possible!) you can't login under a secure connection and then stay logged in under an insecure one.
Click to expand...
Normal behavior for cookies (used in the login process) is that a cookie which is set during an HTTPS session can be optionally marked as "secure". If that attribute is added at the time the cookie is set, then it will not be sent by the browser when it makes an HTTP Request. That means effectively that a login made under HTTPS cannot give you access to HTTP pages that require you to be logged in.
The alternative, not marking the cookie as secure, allows the login to cover both HTTP and HTTPS page requests, but also exposes the cookie over insecure requests, so that someone monitoring the traffic could see the cookie and use it to highjack your login session.
Both choices have their advantages, but if not all pages and all formatting options are reachable via HTTPS, the first option is not practical.
 
That makes sense, thanks for that explanation.

How would one mark a cookie "not secure" on a site with a cert? This seems like something that would be coded into the forum software.

So in the instance where a site has a cert, and it's up to date, something like this might operate normally and the user wouldn't know any different. But on a site without a cert, or with an expired one, you really would not be able to do this, would you?

Could you give me an example of something that might not be reachable via https?
 
Floyd R Turbo said:
That makes sense, thanks for that explanation.

How would one mark a cookie "not secure" on a site with a cert? This seems like something that would be coded into the forum software.

So in the instance where a site has a cert, and it's up to date, something like this might operate normally and the user wouldn't know any different. But on a site without a cert, or with an expired one, you really would not be able to do this, would you?

Could you give me an example of something that might not be reachable via https?
Click to expand...
A cookie is marked by the server delivered code that sets it in the first place. You can only mark a cookie as secure if it is delivered over an HTTPS connection, so a site which does not have a server certificate (valid or invalid) could not set a secure cookie.
You, as the user browsing the site, have no control over the cookie attributes.
 
ActionDave said:
Did you click the Remember Me box?
Click to expand...

Yes. It does remember me in that I don't have to manually enter my name and password. It's just that it seems to have short term memory loss- I can be logged in then go back to another page and it forgets me- but not always. But just now I left the site, went to another then came back and it remembered me. Go figure.

-Hal
 
Status
Not open for further replies.
Top