Hi, On Thu, Jan 02, 2014 at 02:53:16PM -0700, Bob Proulx wrote: > There is a checkbox on the login.php page. > > [x] Stay in secure (https) mode after login > > The presented form may be accessed by either http or https. It > defaults to checked which is good. The form submit action is always > to an https URL which is also good. But then regardless of the > setting of that checkbox the result is always https even if the > checkbox is not checked. This is also good. > > I think this question is now obsolete and should be removed. I think > it became obsolete when the form POST action switched to https. > (Which was a very good thing.) Since this code was written there has > been a big movement to make the web more secure. I think this is just > a leftover from the old days. > > I will investigate a little more but I plan on removing that checkbox. > I don't believe this will have any user visible effects.
To me this is a bug. I also noted in a recent work environment that https was way more restricted (proxy *whitelist* only) than plain http, so in some cases, people may want to stay in plain http. There may be a conflict between the choice of the checkbox and a) HTTPSEverywhere plugin and/or b) a previous Savane cookie requesting to switch to https. Cheers and happy GNU year! -- Sylvain
