ForumsQuestionsLogin supprots http and defaults to http rather than https

Login supprots http and defaults to http rather than https

Author	Message
bsmithsweeney	Posted: May 14, 2010 Score: 0 Reference bsmithsweeney Posted: May 14, 2010 Score: 0 Reference If one visits https://www.toodledo.com but are not logged in yet, you are redirected to an http-based login page rather than https. This is true even if you set the "Encryption" option to "yes" with a pro account, per https://www.toodledo.com/forums/2/2975/-15677/pro-accout-https-is-not-enabled-by-default.html. Note that many folks are likely bookmarking https://www.toodledo.com, rather than bookmarking the login page, and all of them would be redirected to the plaintext login. This is not ideal for clients who may miss the change in protocol on redirect. I suggest making the login page https-only to ensure it's not possible to accidentally send login information in cleartext or have that information intercepted. Cheers, Brian
Jake Toodledo Founder	Posted: May 16, 2010 Score: 0 Reference Jake (Founder) Posted: May 16, 2010 Score: 0 Reference Login information is always submitted over an https encrypted connection, even if the page you are on is not https. You can check the source code if you want to confirm this.

Author

Message

Posted: May 14, 2010

Score: 0 Reference

bsmithsweeney
Posted: May 14, 2010
Score: 0
Reference

If one visits https://www.toodledo.com but are not logged in yet, you are redirected to an http-based login page rather than https. This is true even if you set the "Encryption" option to "yes" with a pro account, per https://www.toodledo.com/forums/2/2975/-15677/pro-accout-https-is-not-enabled-by-default.html. Note that many folks are likely bookmarking https://www.toodledo.com, rather than bookmarking the login page, and all of them would be redirected to the plaintext login.

This is not ideal for clients who may miss the change in protocol on redirect. I suggest making the login page https-only to ensure it's not possible to accidentally send login information in cleartext or have that information intercepted.

Cheers,
Brian

Jake

Toodledo Founder

Posted: May 16, 2010

Score: 0 Reference

Jake (Founder)
Posted: May 16, 2010
Score: 0
Reference

Login information is always submitted over an https encrypted connection, even if the page you are on is not https. You can check the source code if you want to confirm this.

You cannot reply yet

U Back to topic home

R Post a reply

To participate in these forums, you must be signed in.