Log in | Register
  1. Forum
  3. Non-Commercial Extensions
  5. SCLogin Enhanced Login
  7. Force SCLogin to a https page?

Topic-icon Force SCLogin to a https page?

Active Subscriptions:

None
5 years 8 months ago #64409 by bec
Hi,
How do I force SCLogin modal window to be an https element? I have set the Encrypt Login Form in the SCLogin Module, but I have not forced the whole site to https in the Global Server settings.

When I look at the page using F12 in Firefox I get a warning on the console tab saying :

Password fields present on an insecure (http://) page. This is a security risk that allows user login credentials to be stolen.


Thanks
Brian
The topic has been locked.
Support Specialist
5 years 8 months ago #64419 by mel
Replied by mel on topic Force SCLogin to a https page?

When I look at the page using F12 in Firefox I get a warning on the console tab saying : Password fields present on an insecure (http://) page. This is a security risk that allows user login credentials to be stolen.


Are you looking at the https version of the page in Firefox? Can you verify in the source that the setting is working and the form is directed to submit to https? Could you send a specific URL where we can see the behavior in action?

-Melissa
The topic has been locked.
Active Subscriptions:

None
5 years 8 months ago #64428 by bec
Replied by bec on topic Force SCLogin to a https page?
Hi, very happy to provide a URL. IT is a test site, so I probably don't want to publish it. Is there an email I can send it to?

When I go to http:domain.org.au the login page is https, but I was expecting that there might be a way to force the login to be https without the whole site having to be https.

Brian
The topic has been locked.
Support Specialist
5 years 8 months ago #64430 by alzander
SCLogin is a module. It can't force the actual page it's on to be https. In many cases, users will put the SCLogin module on every page of their site, not just one specific page as well.

If you want to make a specific page of your site always load via https, that should be done with an .htaccess rule, an SEO or other routing extension.

As Melissa hinted at above, the Encrypt Login Form setting in the SCLogin module ensures that the form is *submitted* to a secure/https URL. The page it's placed on is out of the module's control.

One final note, it's becoming more en vogue nowaydays to have every page of your site load over https, whether there's a security reason to do so or not. Browsers and search engines are starting to promote pages that use https more and penalize (in some small way) pages that only load over http. If you have the ability to make everything https (and services like Cloudflare make this exceptionally easy), we'd recommend you do so.

I hope that helps explain further,
Alex
The topic has been locked.
Active Subscriptions:

None
5 years 8 months ago #64431 by bec
Replied by bec on topic Force SCLogin to a https page?
Thanks, that all makes sense. So, just to check: when you say " the Encrypt Login Form setting in the SCLogin module ensures that the form is *submitted* to a secure/https URL" Does this mean that the username and password are encrypted (https) as they travel to the URL where they are posted?

I am aware of the emphasis browsers have been placing on https (you would think they owned certificate suppliers). For now I'm trying to get away without making the whole site https. Out of interest I was trying to understand whether the login was transmitted securely without having to do a Wireshark and see the encrypted packets. The obvious things like looking at the page in IE/Firefox developer mode don't really tell me.

Thanks for your quick reply
Brian
The topic has been locked.
Support Specialist
5 years 8 months ago #64439 by alzander

Does this mean that the username and password are encrypted (https) as they travel to the URL where they are posted?

Correct. The credentials are transmitted securely.

The issues that browsers have nowadays is that even if they are transmitted securely, if you're entering them on a non-secure page, there's additional risk that some malicious file running on the page could still be scraping the data before the "login" button is actually clicked. That's a more minimal risk, but at this point, it's SSL or bust to be seen in a good light in a browsers eyes.

I mentioned it above, but I'd recommend (and we use) Cloudflare. It's a CDN for your website that can add SSL to all your pages automatically. We get no benefits from you looking into them, just an easy solution.

All the best,
Alex
The topic has been locked.
  1. Forum
  3. Non-Commercial Extensions
  5. SCLogin Enhanced Login
  7. Force SCLogin to a https page?
From the Blog
Facebook | Twitter | LinkedIn | Blog RSS