HTTPS/HTTP Authentication Issue

win32sux · 03-05-2007, 01:58 AM

just noticed something weird... let's say i login to LQ using HTTPS... then i go into my email and click on a link in a LQ "Reply to post" message (or go directly to LQ via HTTP) -- i'll need to login *again* (this time via HTTP)... is this a problem on my end, or can anyone else confirm this behavior??

jeremy · 03-05-2007, 08:37 AM

That's the correct behavior to my understanding. Your browser is sending different cookies back and forth to what are in essence different URI's.

--jeremy

win32sux · 03-05-2007, 03:29 PM

thanks for the reply!!! yeah, that makes sense... i wonder why i never noticed before... i guess i've always been logged-in using both methods... =/

EDIT: actually, i just did a test and realized the inverse is not true... in other words, if you log-in via HTTP and then switch to HTTPS you'll be fine... you only need to re-login when going from HTTPS to HTTP...

on a side note... what are your thoughts on a checkbox in the user's configuration section which when checked would make it so that the "Reply to post" email messages (or better yet, any LQ message) would use HTTPS links instead of HTTP ones??

jeremy · 03-05-2007, 05:54 PM

I believe a "secure" cookie can be read by both, but not the inverse (which makes sense). We've never fully supported or advertised the SSL address, which is something we should do. I'll look into proper support for a future release. Thanks!

--jeremy

Jaqui · 03-05-2007, 10:45 PM

Jeremy,
I know I saw on one of the security lists a recommendation that, for security reasons, the entire internet should be defaulted to ssl. The drawback is the reduction in speed.
[ takes a few extra seconds to load an ssl page over a non secured page ]
It would remove phishing / fake site issues almost entirely is the reasoning.