Hi, for a Roller installation I'd like to secure the site so my login
password isn't being sent via cleartext, but at the same time not have
the entire blog on
SSL for performance reasons (blog readers will never log in, so if they
can use HTTP alone that would be good.) I see these possibilities:
1.) Activate SSL for the login page only, and keep the rest HTTP-only.
Is that doable with Roller and would provide sufficient security? I.e.,
I'm not sure if any cookies sent back and forth during subsequent edits
would create security problems akin to sending the password cleartext if
those cookies themselves weren't encrypted.
2.) Use two URLs--Use https:// for the entire site for myself only,
since I'm the only one logging in, but use cleartext HTTP for blog
readers. This could work but I'm concerned any Google returns for blog
articles would point to the https:// and not the http:// URL.
3.) Use Open ID to authenticate -- this could(?) allow me to keep the
blog 100% HTTP-only while keeping the third-party authentication on SSL.
Any ideas/suggestions? What do others do?
Thanks,
Glen
