Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-55836

Warn about loginhttps

    XMLWordPrintable

Details

    • MOODLE_32_STABLE
    • Easy

    Description

      While we await the deprecation of login https (MDL-42834), we should make the following changes (that don't involve removing the setting completely)

      • Warn in the loginhttps' help text not to use it.
      • When it's on, warn in the security report about it.
      • Change the setting name to "Use HTTPS only for logins"
      • Disable it if you are already using HTTPS site wide. (It makes it seem like without the option checked HTTP will be used for logins, which is not correct.

      I'm seeing more and more posts about loginhttps on the security forums and it's bringing up a bunch of other problems.

      In particular:

      1. People don't know that they won't be able to use their site behind a proxy if they use loginhttps (MDL-45539 will stop this being a problem)
      2. It confuses people, making them think their site is more secure than it is (in general)
      3. It causes cookiesecure to snap off without warning, confusing users who view the security report, and making people think cookiesecure is on if they don't. MDL-55662 will solve this.

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              johno John Okely
              David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo
              Votes:
              1 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated: