-
Bug
-
Resolution: Won't Do
-
Major
-
None
-
3.2
-
MOODLE_32_STABLE
-
Easy
While we await the deprecation of login https (MDL-42834), we should make the following changes (that don't involve removing the setting completely)
- Warn in the loginhttps' help text not to use it.
- When it's on, warn in the security report about it.
- Change the setting name to "Use HTTPS only for logins"
- Disable it if you are already using HTTPS site wide. (It makes it seem like without the option checked HTTP will be used for logins, which is not correct.
I'm seeing more and more posts about loginhttps on the security forums and it's bringing up a bunch of other problems.
In particular:
- People don't know that they won't be able to use their site behind a proxy if they use loginhttps (
MDL-45539will stop this being a problem) - It confuses people, making them think their site is more secure than it is (in general)
- It causes cookiesecure to snap off without warning, confusing users who view the security report, and making people think cookiesecure is on if they don't. MDL-55662 will solve this.
- has a non-specific relationship to
-
MDL-42834 Deprecate loginhttps
- Closed
-
MDL-45539 Support X-Forwarded-Proto and Forwarded headers in is_https
- Closed
- will be (partly) resolved by
-
MDL-42834 Deprecate loginhttps
- Closed
-
MDL-45539 Support X-Forwarded-Proto and Forwarded headers in is_https
- Closed
- will help resolve
-
MDL-58391 "is_moodle_cookie_secure()" is buggy
- Closed