|
Account Issues, Outage Reports and Technical problems Reports, Questions or Requests related to your account and/or forum functionality. |
|
Thread Tools | Display Modes |
#1
|
||||
|
||||
Can we PLEAAASEEE fix the SSL issues?
I log in via the Https version of the site, inevitably I click a link (like the "Home" button) which goes to the http version of the site. My login cookie is no longer valid. The same goes for in-thread links to the non-https version of the site. Oddly, the Home button goes to http:// but other top bar links go to https:// properly.
Those that don't know better will be prompted to log in again, and potentially reveal their login or subject themselves to cookie-jacking. Apache has no problem directing all non-https requests to https if so configured. This would prevent any database-side work to replace all links, but still make site navigable. This is IMO a rather serious security concern. If you log into the non-HTTPs version of the site your username and password are sent plain-text. While the login is hashed, it's pretty trivial these days to crack. This means that any intermediary network provider could compromise a calguns member account, and access their respective PMs, posts that are not public, reveal address/phone information that were sent in PMs, payment addresses, etc. Can we get Apache configured properly, pretty please? |
#3
|
||||
|
||||
If you want to give me shell access to the AWS Instance, sure.
I don't know if apache is configured as a virtual host or we're using .htaccess to control redirection. Also changes slightly on based on the host OS, etc. Basically, I'd love to just send you a list of instructions, but I can't do that without somewhat privileged information. |
#4
|
||||
|
||||
__________________
"I do not love the bright sword for its sharpness, nor the arrow for its swiftness; I love only that which they defend. victus exaro somniculosus, somnus exaro ieiunium |
#5
|
||||
|
||||
Quote:
|
#6
|
||||
|
||||
It's only 29 bucks a year though , helps support the cause.
|
#7
|
||||
|
||||
Fizz if you look at everyone that has replied so far their names are in gold and under their name it says contributor.
That’s what we’re getting at.
__________________
"I do not love the bright sword for its sharpness, nor the arrow for its swiftness; I love only that which they defend. victus exaro somniculosus, somnus exaro ieiunium |
#8
|
|||
|
|||
He just offered to fix it for free. That would cost way more than $29 for a consultant.
|
#9
|
||||
|
||||
It is a simple Apache config and should be done. Force everything to be HTTPS only. I'm not sure who manages the software part for the message board, but I do wonder if there is an update to set the HSTS flag to true as well.
__________________
Application submitted: 1/3/22 Appointment: 2/3/22 Live Scan : 2/3/22 Proceed to Training: 5/31/22 Training Completed: 7/9/22 Document Uploaded: 7/10/22 CCW approved: 7/20/22 CCW picked up: 7/27/22 Utah Non-Res CCW 8/31/22 |
#10
|
|||
|
|||
what's the differences between the Home button and the button immediately below it (calguns net)
? Other than one is http & the other is https, what else is different?
__________________
|
#11
|
||||
|
||||
Quote:
The problem isn't limited to the home button. It's a general issue where navigating to any link that's the opposite of what you logged into (http/https) will effectively halt site nav. The site should simply force everyone to use SSL only for all links to calguns, even if a link doesn't have https in it. It will increase security for all members and fix the navigation issue. |
Thread Tools | |
Display Modes | |
|
|