What to do with ssl="authenticated sessions" + code freeze date for Bugzilla 3.6
Marc Schumann
wurblzap at gmail.com
Wed Aug 19 20:25:32 UTC 2009
2009/8/19 Frédéric Buclin <lpsolit at gmail.com>:
> At the Bugzilla meeting today, there has been some discussion about what
> to do with the "authenticated sessions" value of the ssl parameter now
> that you can log in from every page. It seems that it doesn't make sense
> to keep this value anymore as all pages must be protected using SSL as
> you can potentially use any of them to log in. Does anyone see a valid
> reason to not kill this value? This means the ssl parameter would become
> a single yes/no to use ssl or not, see bug 329638.
I've got two installs with the param set to authenticated_sessions.
Most traffic on them is happening via SSL, though, because the vast
majority of bugs are not public, so people usually are logged in.
So I won't miss the value much, but I like the idea of being able to
browse unencrypted... I gather that we should log in *from* an
encrypted page, though, and since this means every page allows a log
in now, every page must be encrypted. Can you shed some light on why
this is so? Why can't we log in from an unencrypted page, moving to
SSL just when logging in? Is it some man-in-the-middle thing?
Marc
More information about the developers
mailing list