Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-55836

Warn about loginhttps

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Major Major
    • None
    • 3.2
    • Administration
    • MOODLE_32_STABLE
    • Easy

      While we await the deprecation of login https (MDL-42834), we should make the following changes (that don't involve removing the setting completely)

      • Warn in the loginhttps' help text not to use it.
      • When it's on, warn in the security report about it.
      • Change the setting name to "Use HTTPS only for logins"
      • Disable it if you are already using HTTPS site wide. (It makes it seem like without the option checked HTTP will be used for logins, which is not correct.

      I'm seeing more and more posts about loginhttps on the security forums and it's bringing up a bunch of other problems.

      In particular:

      1. People don't know that they won't be able to use their site behind a proxy if they use loginhttps (MDL-45539 will stop this being a problem)
      2. It confuses people, making them think their site is more secure than it is (in general)
      3. It causes cookiesecure to snap off without warning, confusing users who view the security report, and making people think cookiesecure is on if they don't. MDL-55662 will solve this.

            Unassigned Unassigned
            johno John Okely
            Votes:
            1 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.