Secure login not enforced?

Ryan_Lea · May 10, 2007, 12:49am

We have a section of our design that is shown only to internal staff, but is shown to them when browsing the site normally. One part of this is a login box

    
    
       
       
       
          
          Username: 
          Password:

This works fine except that when we tick "require secure login". When we tick that for the domain that we are on this login box still generates an unsecure login link, and will still allow people to log in via http rather than https.

          
       	       Username: 
           
          Password:

So basically when we tick the require secure connections box, nothing changes with this login box.

Is there some way to have this form send the login info securely (e.g. another mysource_set variable)?

And is there some way to have require secure login actually mean it requires a secure login?

gsherwood · May 10, 2007, 1:00am

The require secure login option forces the standard login box to redirect to a HTTPS URL if it is printed on a HTTP URL. A login box nested in your design is not going to be able to submit data entered into it via a HTTPS connection unless all your users browse via HTTPS.

Because this is part of your design, every page has the potential to log people in, so you'll need to enable HTTPS access for your site URLs and disable HTTP if you want to force people to use a secure connection for those logins.

Ryan_Lea · May 10, 2007, 1:19am

Technically it could allow a secure login by presenting the login box via http, but having the form action as the https version of the current url.

e.g. on "http://www.mysite.com/login" have "<form action='https://w …"

As soon as someone hits a form button they are sending a new request to the server that is totally independent of any previous requests.

If the domain is set to require a secure login would it not make sense for the login_section to generate a secure action for the form_open variable? Require secure login should mean that secure logins are required and MySource should not generate code that violates that IMO.

gsherwood · May 10, 2007, 1:51am

That will still bounce your users into a HTTPS URL for the site, so you'll need to make sure your site URLs allow HTTPS. Once in there, your users will stay in HTTPS as Matrix will always select that URL because it matches the current protocol.

In my opinion as a site visitor, I'd want to be forced into a HTTPS URL if there is a login box on the page so I can verify the certificate before I enter my login details.

I don't think the default Matrix behavior should change to get visitors to verify the certificate after they have submitted the form. If anything was to change, Matrix could force you to use HTTPS URLs if a page contains a login design area, but bouncing users from HTTP to HTTPS as they move in and out of pages with login boxes would be very annoying, so I'd still recommend forcing the entire site into HTTPS instead.

Ryan_Lea · May 10, 2007, 2:14am

Is there a keyword that generates a secure url for the currently viewed page, similar to %asset_url%? Or one that lists other valid urls for the page?

gsherwood · May 10, 2007, 3:34am

I was looking for one, but I can't find one that will print without the protocol. You could change the form action using JS I guess.