Follow-up Comment #7, bug #6694 (project savane): > It is not something we want to lose.
Define "we", preferably without using 'must' ;) > > This breaks the automatic http->https relocation, but > > security-wise, that's more logical - if you want to stay > > in ssl > mode, you probably don't want your session > > cookies to be sent > inadvertently clear-text. > Not sure to understand. You mean for external links to > viewcvs? Seems hard to predict whether https is available > on external links. If you want to enforce security there, > you should probably configure the group type to have https > in the viewcvs url. I mean that I do not want a cookie set via https to be sent via plain http. So I suggest using the secure=1 setcookie() option in this regard. Note that https is not necessarily available (cf. recipe #114). "This breaks the automatic http->https relocation": exemple: - you login to http_s:_//sv.gnu.org - you close the browser - you type http://sv.gnu.org, or click on a bookmark... so you use a non-secure URL -> now, you send the cookie clear-text, and you are redirected to https:. With what I suggest, in this case, you are considered not logged-in, and you have to manually add a 's' to 'http:' in the URL bar. However that's more secure because you session is indeed reserved to TLS mode. _______________________________________________________ Reply to this item at: <http://gna.org/bugs/?func=detailitem&item_id=6694> _______________________________________________ Message posté via/par Gna! http://gna.org/ _______________________________________________ Savane-dev mailing list [email protected] https://mail.gna.org/listinfo/savane-dev
