Please Log in or Create an account to join the conversation.
Please Log in or Create an account to join the conversation.
krileon
This performs the login POST in HTTPS then redirects the user back to HTTP (can't make a POST to HTTP without cross content errors). This appears to be working as expected. The end user won't notice anything happening, but their data (username/password) is being passed to your site securely and they're then sent back as their previous usage. For example if they were browsing in HTTP they will be sent back to HTTP after login. If you've Firebug for Firefox and review the Net tab setting it to persist you should notice on login that the post is in HTTPS.Option 2... Is the https here not encrypted, as opposed to Option 3's? What is the meaning of "same"? Revert back to http, if the page browsed was http? "Same" as the "same" also in option 1? In contrast to Option 3, I would guess that users send passwords through https, but is bumped back to http after having successfully logged in. Unfortunately, that's not how it works!?
This is working exactly as designed.Option 3... This ones seems intuitive, and works as advertised. But given how Option 2 has "not quite worked", I have a nagging fear that Option 3 only "worked by accident, not by design". I'm worried I'm missing some security loopholes in using Option 3.
Please ensure CB login module is being used. Please also is in the format as seen in the below (relative and non-sef). Please also check if you've a first time login redirect configured in CB > Configuration > Registration as this would take affect for first time login which would override your modules login redirect. If you've multiple login modules please ensure you're using the module configured with the redirect.Login Redirection URL isn't working, no matter what I put in (absolute or relative).
Please Log in or Create an account to join the conversation.
No, it isn't working as expected. But I fixed it. CB v1.7.krileon wrote:
This performs the login POST in HTTPS then redirects the user back to HTTP (can't make a POST to HTTP without cross content errors). This appears to be working as expected.Option 2... Is the https here not encrypted, as opposed to Option 3's? What is the meaning of "same"? Revert back to http, if the page browsed was http? "Same" as the "same" also in option 1? In contrast to Option 3, I would guess that users send passwords through https, but is bumped back to http after having successfully logged in. Unfortunately, that's not how it works!?
Yes, this one does work as expected.krileon wrote:
This is working exactly as designed.Option 3... This ones seems intuitive, and works as advertised. But given how Option 2 has "not quite worked", I have a nagging fear that Option 3 only "worked by accident, not by design". I'm worried I'm missing some security loopholes in using Option 3.
It's SEF-related. But I fixed it too.krileon wrote:
Please ensure CB login module is being used. Please also is in the format as seen in the below (relative and non-sef).Login Redirection URL isn't working, no matter what I put in (absolute or relative).
Please Log in or Create an account to join the conversation.
Please Log in or Create an account to join the conversation.