3
Vote

SSL should be active on all pages after logging in

description

I'd like to suggest a setting to keep a user on the https url for browsing after logging in (not just for the login page or dashboard) so that the secure cookie isn't subject to being hijacked by someone on the same network using Firesheep or a similar tool.

file attachments

comments

sebastienros wrote Oct 23, 2012 at 4:37 PM

I'd like to agree. The current behavior is a bad practice. Would you be able to apply the necessary changes and submit a pull request ? It should be actually easy as it's just about removing some code which redirects to a none https url thereafter.

rroyall wrote Oct 31, 2012 at 3:22 PM

Sure, I'll take a look at it this weekend.

johnbarclay wrote Jul 17, 2013 at 1:29 PM

Here's a patch for this. It basically adds a checkbox with the text "Enable SSL on all pages for authenticated users" and adds "|| settings.AuthenticatedPagesEnabled && HttpContext.Current.User.Identity.IsAuthenticated" to the logic requiring a rediect to ssl. "AuthenticatedPagesEnabled" is the configuration property name.