** Changed in: mahara Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/685942
Title: Possible https to http downgrade Status in Mahara ePortfolio: Fix Committed Status in Mahara 1.2 series: Fix Released Status in Mahara 1.3 series: Fix Released Bug description: Interesting that with both, bug #646713 and bug #684190, we overlooked the most obvious and relatively sensitive issue. Even though $cfg->wwwroot might be set 'https://somemaharasite', depending on apache config, user may still be able to use insecure page for logging in by entering 'http://somemaharasite' in the web browser address field, then, upon logging-in, user credentials will be passed through insecure connection first, before sever respond with redirection to https secured page. This is valid for other pages after logging in - at any time used may switch back to insecure connection by typing 'http://somemaharasite/somedir/somepage.php'. This can be fixed by ensuring that $_SERVER['HTTPS'] is set when $cfg->wwwroot = 'https://...', otherwise redirecting user to the same page using https. _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp