On Fri, Jan 03, 2014 at 03:18:02PM -0700, Bob Proulx wrote: > Sylvain wrote: > > Bob Proulx wrote: > > > > To me this is a bug. > > > > > > Which part of it? There were several things mentioned. > > > > The only non-sensible one : that _un_checking 'stay in https' stays in > > https nonetheless. > > Well... That technically may be a bug but it is one of those bugs > that would never be noticed. Because with the previous push to https > that is generally what we want it to do. > > It would be worse if it failed the other direction and when https was > desired it kicked the user back to http. That way would be the bad > case. I am sure that would have been noticed. > > However you had said the need case was for a site that restricts > access to all but a whitelisted set of domains and gnu.org was not in > that whitelist. In such an environment savannah would need to *never* > access https in order to allow a login. That is different > functionality than switching from https to http after login. Even if > the switch from http-to-https worked the restricted site would not be > able to log in due to the https block. Therefore I don't see the > utility of a switch back to http feature. For your use case it would > need to allow logging in using http which opens the security hole of > sending passwords in clear text. > > At one time it was generally thought that if everyone used https that > the encryption would load down a server. That is why many sites > logged in with https but then switched to http. Then they would > require an https login again before doing anything that required > security. But as time has gone by hardware has gotten faster and > using https all of the time is now generally thought not to be a > server load concern. The https is currently required and frontend > hasn't been suffering load problems.
Agreed on all points. > (vcs has but that is a different > server.) Physically different? > > But actually it's not a bug : this checkbox creates a cookie that make > > the browser auto-switch to https when they open http://savannah.gnu.org. > > Unchecking the box does not set that cookie. > > Are you saying that you can make this switch back to http for you? I > can't. It always stays in https from my testing. No, disabling the checkbox makes it _not_ switch to https when you manually type an http://savannah.gnu.org/something.php URL. This is configured with a cookie named 'redirect_to_https', not set if the checkbox is unchecked. Agreed with getting rid of it. -- Sylvain
