Force HTTPS login

PeterSheppard · 2012-02-02 15:45:26 UTC

I may be completely blind, but if this does already exist as an option, I can't find it!

Our new security manager wants all logins to our website to be forced over SSL. Is there any way to do this? We have login available via HTTPS, and have a number of pages where data is collected forced to HTTPS, but can't see a way of forcing all login forms to HTTPS?

nnhubbard · 2012-02-02 16:45:03 UTC

If you want to force your login to _admin to be secure, just go to System Configuration and scroll down to the Login/Session Settings. This is where you can tick the box next to your URL to require secure login.

If you want to force this for individual assets, you can do this on that assets settings screen.

PeterSheppard · 2012-02-06 15:28:44 UTC

Have done both of these already. What we've been told we must do for various compliance reasons is for ALL login forms (we have a large amount of member-only content) to be forced over HTTPS, so that passwords are never passed in plain text.

Not concerned about the session cookies once the user has been established. We don't want everything on HTTPS for caching and other reasons.

nnhubbard · 2012-02-06 16:23:49 UTC

[quote]
Have done both of these already. What we've been told we must do for various compliance reasons is for ALL login forms (we have a large amount of member-only content) to be forced over HTTPS, so that passwords are never passed in plain text.

Not concerned about the session cookies once the user has been established. We don't want everything on HTTPS for caching and other reasons.

[/quote]

So…are you still having an issue?

PeterSheppard · 2012-02-08 12:05:17 UTC

[quote]
So…are you still having an issue?

[/quote]

Yes - because when attempt to access to member-only pages when not logged in, the login form is presented over HTTP. We need the user to be forced over to HTTPS for the login, then (optionally) returned to HTTP afterwards (with the session cookie still in tact)

nnhubbard · 2012-02-08 13:24:35 UTC

[quote]
Yes - because when attempt to access to member-only pages when not logged in, the login form is presented over HTTP. We need the user to be forced over to HTTPS for the login, then (optionally) returned to HTTP afterwards (with the session cookie still in tact)

[/quote]

Hmm, if forcing the login to HTTPS isn't working, maybe you should talk to Squiz Support. We checked that option and it has always forced our _admin to switch to https.

PeterSheppard · 2012-02-08 18:25:29 UTC

[quote]
Hmm, if forcing the login to HTTPS isn't working, maybe you should talk to Squiz Support. We checked that option and it has always forced our _admin to switch to https.

[/quote]

_admin is indeed redirected to HTTPS correctly.

But we have normal pages which are member-only to view, and it's logging onto these pages which we've been told we need to tighten security on, because once a session is established, that allows members (400,000+) to view and change their personal and subscription details.