Hi! I suspect that after login, logged in session is based on cookies? So if after login a cookie is send through HTTP, the cookie can be intercepted.
Mitar On Sat, Aug 8, 2015 at 2:42 PM, Geert Stappers <[email protected]> wrote: > On Sat, Aug 08, 2015 at 02:14:59PM +0200, Mitar wrote: >> Hi! >> >> HTTPS works: >> >> https://patchwork.ozlabs.org/ >> >> But if I open http://patchwork.ozlabs.org/, it still allows me to >> login and send a password in plain text. I think HTTP should force >> redirect to HTTPS. >> > > I think the HTTP _login screen_ should redirect to HTTPS. > So only force HTTPS when login (and being logged in) is involved. > > > Groeten > Geert Stappers > -- > Leven en laten leven > _______________________________________________ > Patchwork mailing list > [email protected] > https://lists.ozlabs.org/listinfo/patchwork -- http://mitar.tnode.com/ https://twitter.com/mitar_m _______________________________________________ Patchwork mailing list [email protected] https://lists.ozlabs.org/listinfo/patchwork
