Project

General

Profile

Bug #1728

projects.osmocom.org permits login over http, not https

Added by laforge over 2 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
-
Target version:
-
Start date:
05/18/2016
Due date:
% Done:

0%

Estimated time:
Spec Reference:

Description

I think this is not intentional, as it transmits credentials in the clear.

History

#1 Updated by zecke over 2 years ago

So you would like to have "Sign In" redirect to https?

#2 Updated by lynxis over 2 years ago

zecke wrote:

So you would like to have "Sign In" redirect to https?

why not redirecting everything to https://osmocom.org/?

http:// login is also possible on osmocom.org

#3 Updated by zecke over 1 year ago

  • Status changed from New to Closed

Added

                if ($scheme =  http) {
                        rewrite ^/login https://$server_name$request_uri? permanent;
                }

I skipped /admin or /my.. because at that point you already sent your session cookie on http...

#4 Updated by zecke over 1 year ago

curl -v http://osmocom.org/login/ 2>&1 | grep Location
< Location: https://projects.osmocom.org/login/

this caused issues with OpenID (and creating a new realm). Use $host instead of $server_name

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)