Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-55836

Warn about loginhttps

    XMLWordPrintable

    Details

    • Difficulty:
      Easy
    • Affected Branches:
      MOODLE_32_STABLE

      Description

      While we await the deprecation of login https (MDL-42834), we should make the following changes (that don't involve removing the setting completely)

      • Warn in the loginhttps' help text not to use it.
      • When it's on, warn in the security report about it.
      • Change the setting name to "Use HTTPS only for logins"
      • Disable it if you are already using HTTPS site wide. (It makes it seem like without the option checked HTTP will be used for logins, which is not correct.

      I'm seeing more and more posts about loginhttps on the security forums and it's bringing up a bunch of other problems.

      In particular:

      1. People don't know that they won't be able to use their site behind a proxy if they use loginhttps (MDL-45539 will stop this being a problem)
      2. It confuses people, making them think their site is more secure than it is (in general)
      3. It causes cookiesecure to snap off without warning, confusing users who view the security report, and making people think cookiesecure is on if they don't. MDL-55662 will solve this.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                1 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated: