Project

General

Profile

Actions
Copy link

Feature #3804

open

Authentication over HTTPS

Added by Vinod Singh over 14 years ago. Updated about 11 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Administration
Target version:
-
Start date:
2009-09-02
Due date:
% Done:

0%

Estimated time:
Resolution:

Description

There should be global flag to indicate that login page should be served over HTTPS. As of now once can run whole application over either HTTP or HTTPS. Running everything over HTTPS is overkill and sending user credentials over HTTP is a security whole.

Related issues

Related to Redmine - Feature #24763: Force SSL when Setting.protocol is "https"New

Actions
Actions
Copy link
 #1

Updated by Dipan Mehta about 11 years ago

I disagree!

There is no point in running only Login page in HTTPS and then let your session cookies visible to the rest of the world through HTTP only for some eavesdropper to hijack you once you logged in!

Everything should be HTTPS or HTTP only!

Actions
Copy link
 #2

Updated by Go MAEDA over 7 years ago

  • Related to Feature #24763: Force SSL when Setting.protocol is "https" added
Actions
Copy link

Also available in: Atom PDF