Hi everybody!
As it is now, a webserver can be configured to allow access to a CMSimple_XH site only via HTTPS. However, for normal browsing HTTPS might be overkill, especially when no sensible data will be transferred. When accessing the back-end (particularly when sending the login password) enforcing HTTPS (if configured by the user) appears to be reasonable.
Basically, the implementation seems to be rather trivial: loginfoms() would have to be slightly modified wrt. to the form's action attribute, and the logout link would have to be modified. Of course, that would not prohibit that the admin to switch to HTTP manually, but that might be acceptable. Then again, really enforcing HTTPS might also be easy, by adding a check for (XH_ADM && !isHTTPS()), and bailing out if that isn't true. I'm not sure, if there would be any issues with this, though.
Anyhow, what do you think?
Add support for back-end access via HTTPS only
Add support for back-end access via HTTPS only
Christoph M. Becker – Plugins for CMSimple_XH