Add support for back-end access via HTTPS only

Discussions and requests related to new CMSimple features, plugins, templates etc. and how to develop.
Please don't ask for support at this forums!
Post Reply
cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:
Contact cmb

Add support for back-end access via HTTPS only

Post by cmb » Mon Apr 27, 2015 12:44 pm

Hi everybody!

As it is now, a webserver can be configured to allow access to a CMSimple_XH site only via HTTPS. However, for normal browsing HTTPS might be overkill, especially when no sensible data will be transferred. When accessing the back-end (particularly when sending the login password) enforcing HTTPS (if configured by the user) appears to be reasonable.

Basically, the implementation seems to be rather trivial: loginfoms() would have to be slightly modified wrt. to the form's action attribute, and the logout link would have to be modified. Of course, that would not prohibit that the admin to switch to HTTP manually, but that might be acceptable. Then again, really enforcing HTTPS might also be easy, by adding a check for (XH_ADM && !isHTTPS()), and bailing out if that isn't true. I'm not sure, if there would be any issues with this, though.

Anyhow, what do you think?
Christoph M. Becker – Plugins for CMSimple_XH
Top
Post Reply

Return to “Open Development”