-
Improvement
-
Resolution: Fixed
-
Minor
-
2.6, 3.2, 3.4
-
MOODLE_26_STABLE, MOODLE_32_STABLE, MOODLE_34_STABLE
-
MOODLE_34_STABLE
-
MDL-42834_master -
-
40
-
3.4 Sprint 5
In my opinion, it's about time we deprecated and removed the loginhttps config setting and sealed this potential leak.
It was removed from Mahara over three years ago (https://bugs.launchpad.net/mahara/+bug/646713) for two primary reasons:
- it broke AJAX login; and
- there can be times where an http link is present on an https page.
In Moodle we don't have AJAX login, and we have mitigated against the https -> http issue by always setting the wwwroot to the current schema.
However, it would be really super nice if we could have AJAX login, and I don't feel that the reasons which once prevented forced use of HTTPS throughout a site are as strong as they used to be. Hardware performance is far better than it was five years ago; it's been proven how easy it is to steal sessions from non-ssl so these things are no longer theoretical or even hard; and SSL is far more widespread.
As it is, we already load all additional content (e.g. CSS, JS, image) over SSL so it's now just the actual page content which is not.
We no longer have issues with third-party plugins not supporting SSL (e.g. YouTube, Vimeo, etc).
I'd like to propose that we drop support for loginhttps.
(more documentation changes: http://docs.moodle.org/27/en/Apache)
- blocks
-
MDL-46267 Final deprecation of https_required and verify_https_required, remove loginhttps and httpswwwroot if possible
- Closed
-
MDL-55662 Remove cookiesecure
- Reopened
- caused a regression
-
MDL-61050 Regression: NTLM Redirect Failure
- Closed
- has a non-specific relationship to
-
MDL-55945 Forgot password stopped working with loginhttps
- Closed
-
MDL-45539 Support X-Forwarded-Proto and Forwarded headers in is_https
- Closed
- has been marked as being related by
-
MDL-55836 Warn about loginhttps
- Closed
-
MDL-46893 Cache of loginhttps before site is even setup
- Closed
-
MDL-55273 cookiesecure doesn't default on
- Closed
-
MDL-44792 Allow theme fixtures in Unit Tests
- Open
-
MDL-46685 Alternate login URL behaviour (avoid extra http redirect)
- Open
-
MDL-46554 YouTube Filter: Adjust to stop forcing HTTPS
- Closed
- is blocked by
-
MDL-46269 Convert http embedded content to https on https sites where available
- Closed
- Testing discovered
-
MDL-60093 A tool that will automatically update your $CFG->wwwroot to https
- Closed
- will help resolve
-
MDL-55836 Warn about loginhttps
- Closed
-
MDL-51368 Glossary auto linking broken when HTTPS for logins is enabled
- Closed
-
MDL-51714 Blank page after authenticating to Dropbox
- Closed