I am just trying to work out some security issues on our sites. The only really sensitive information that will be sent to matrix is the username and password.
Because we have many domains on our Matrix install, and the main thing that needs protecting is the login. Is it possible to redirect all logins through a separate domain such as https://secure.our.domain then it redirect back to where it should be. So that at no time the username and password is sent through http. But all content editing and updating can be through http.
Will the username and password be exposed at any other time other than login?
Is this at all possible?
[quote]Will the username and password be exposed at any other time other than login?
Is this at all possible?[/quote]
The username and password are only transmitted during login. However, because you have multiple domains, you will need to secure all of them for login purposes – we use sessions and cookies to ensure you are still logged in and these do not traverse domains well. You can use Site Networks to group multiple domains together, but I haven't tried that with a single login domain.
Either way, you'd need to enable HTTPS for Login (on the System Configuration screen) and probably Authentication Redirects to your secure domain on all your non-secure ones.
I notice that this only forces it for when you login with _/edit or _/admin.
Anything with a design login form or within a page like through an asset builder does not force it. So to ensure all logins were secured the whole site would need to be secured?
If you have a login box on every screen, you'll need to secure your whole site. If you just use something like an account manager, you can force that single page to be HTTPS on its settings screen.
I guess all I am trying to do is avoid purchasing certificates for every domain. Perhaps I could get away with one per site network.
Do your domains share a comment parent, like first.domain.com and second.domain.com? If so, you could probably set a Parent Domain cookie setting and use a single certificate for domain.com.
Also, I would completely test this configuration with a self-signed certificate to make sure it works properly before you go out and buy one.
[quote]Do your domains share a comment parent, like first.domain.com and second.domain.com? If so, you could probably set a Parent Domain cookie setting and use a single certificate for domain.com.
Also, I would completely test this configuration with a self-signed certificate to make sure it works properly before you go out and buy one.[/quote]
Some do and some don't.