Secure Login

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Suggested Hosts
DimitrisK
Registered User
Posts: 5
Joined: Thu Sep 18, 2008 7:59 pm

Secure Login

Post by DimitrisK » Thu Sep 18, 2008 8:20 pm

Hi Folks,
How can I create a secure login? Basically, I have a security certificate installed and want to be able to have all the users use the secure connection only when they try to login or register. Is this possible w/this board?

If this is possible, do I need some kind of .htaccess file to redirect them to the right URL e.g.
the site is http://mysite.com/forum and my certificate is for http://www.mysite.com. It needs the "www" to get the nifty little lock.

Anyway, thanks for any help in advance. I've looked all over the forum and Google but can't find a solution to this.

User avatar
Lumpy Burgertushie
Registered User
Posts: 66734
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: Secure Login

Post by Lumpy Burgertushie » Thu Sep 18, 2008 10:07 pm

DimitrisK wrote:Hi Folks,
How can I create a secure login? Basically, I have a security certificate installed and want to be able to have all the users use the secure connection only when they try to login or register. Is this possible w/this board?

If this is possible, do I need some kind of .htaccess file to redirect them to the right URL e.g.
the site is http://mysite.com/forum and my certificate is for http://www.mysite.com. It needs the "www" to get the nifty little lock.

Anyway, thanks for any help in advance. I've looked all over the forum and Google but can't find a solution to this.
this is not going to be easy at all unless you put the whole site under your SSL

which means that your url would be:
https://whatever.com

by the way, you will not gain anything by doing this .

robert
I'm baaaaaccckkkk. still doing work on donation basis. PM your needs.

Premium phpBB 3.2 Styles by PlanetStyles.net

If a tree falls in the forest and nobody is there, does it make a sound?

DimitrisK
Registered User
Posts: 5
Joined: Thu Sep 18, 2008 7:59 pm

Re: Secure Login

Post by DimitrisK » Thu Sep 18, 2008 10:43 pm

Thanks for the reply. Why do you say I wouldn't gain anything? Isn't it always better to have a secure login?

User avatar
stevemaury
Support Team Member
Support Team Member
Posts: 50812
Joined: Thu Nov 02, 2006 12:21 am
Location: The U.P.
Name: Steve
Contact:

Re: Secure Login

Post by stevemaury » Thu Sep 18, 2008 10:45 pm

The login is secure. Do a search on this board to see how many people have had passwords intercepted. Or don't, because there are none. :)
For REALLY good and VERY inexpensive hosting CLICK HERE

I can stop all your spam. I can upgrade or update your Board. PM or email me. (Paid support)

DimitrisK
Registered User
Posts: 5
Joined: Thu Sep 18, 2008 7:59 pm

Re: Secure Login

Post by DimitrisK » Thu Sep 18, 2008 11:27 pm

Ok, So I guess there's no way to do what I want then?

User avatar
stevemaury
Support Team Member
Support Team Member
Posts: 50812
Joined: Thu Nov 02, 2006 12:21 am
Location: The U.P.
Name: Steve
Contact:

Re: Secure Login

Post by stevemaury » Thu Sep 18, 2008 11:33 pm

Yes, there's a way. Make the board an https site. You will have to change the cookie_secure setting to 1 in the database as well as creating a secure site.

It's just really not worth the trouble.
For REALLY good and VERY inexpensive hosting CLICK HERE

I can stop all your spam. I can upgrade or update your Board. PM or email me. (Paid support)

DimitrisK
Registered User
Posts: 5
Joined: Thu Sep 18, 2008 7:59 pm

Re: Secure Login

Post by DimitrisK » Thu Sep 18, 2008 11:47 pm

Thanks for the reply, bro. Why isn't it worth it?

User avatar
stevemaury
Support Team Member
Support Team Member
Posts: 50812
Joined: Thu Nov 02, 2006 12:21 am
Location: The U.P.
Name: Steve
Contact:

Re: Secure Login

Post by stevemaury » Thu Sep 18, 2008 11:56 pm

Because it is a job to set it up, it slows things down, and it has no real security advantages. Guys that sniff packets do it for credit card numbers and such, not so they can get on a board they can register for anyway.
For REALLY good and VERY inexpensive hosting CLICK HERE

I can stop all your spam. I can upgrade or update your Board. PM or email me. (Paid support)

DimitrisK
Registered User
Posts: 5
Joined: Thu Sep 18, 2008 7:59 pm

Re: Secure Login

Post by DimitrisK » Fri Sep 19, 2008 12:04 am

At this point, I'm going to leave this topic alone, even though I don't agree w/the there not being any advantages to a secure connection. It just sounds like it's going to be a lot of work and at this point I can't spare any more hours.

Thanks again :D

User avatar
stevemaury
Support Team Member
Support Team Member
Posts: 50812
Joined: Thu Nov 02, 2006 12:21 am
Location: The U.P.
Name: Steve
Contact:

Re: Secure Login

Post by stevemaury » Fri Sep 19, 2008 12:07 am

Do as you wish, don't let us stop you. But this goes beyond basic phpbb support so if you decide to do it, you will have to ask your host, or someplace that knows how to set up secure sites.
For REALLY good and VERY inexpensive hosting CLICK HERE

I can stop all your spam. I can upgrade or update your Board. PM or email me. (Paid support)

User avatar
Lumpy Burgertushie
Registered User
Posts: 66734
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: Secure Login

Post by Lumpy Burgertushie » Fri Sep 19, 2008 1:46 am

I think maybe you are a bit paranoid or just don't understand how this stuff works very well.
When you log in to your ftp or when you log into your cpanel or when you log on to your computer, do you have all of that being encrypted via SSL or anything else?

I don't think so. Your email is not encrypted when you log on to check it, etc. etc.

order forms, financial info, etc. those are the things that are sent via a secure connection SSL.

first, why would anyone care to try and snatch a login to your board?
are you discussing state secrets in private forums or something?

second, in order for someone to be able to "sniff" out a login to your board, they would have to be within a certain distance of the person who was logging in, and have the correct equipment and software to be able to do it and be monitoring that person all the time to be able to catch it.

if you need to protect against that type of possibility, then you probably should not be trying to use a normal web based open source type of software as phpbb.
I'm baaaaaccckkkk. still doing work on donation basis. PM your needs.

Premium phpBB 3.2 Styles by PlanetStyles.net

If a tree falls in the forest and nobody is there, does it make a sound?

sysdev
Registered User
Posts: 6
Joined: Wed Sep 17, 2008 8:36 pm

Re: Secure Login

Post by sysdev » Mon Sep 29, 2008 5:40 pm

SMF has a mod for it. Many CMS platforms have secure login capabilities as well.

I don't think it's an unreasonable or 'paranoid' question or request - especially in this day and age where identity theft is as prevailent as it is. I wouldn't want my admin login to be packet-sniffed and then my board be hacked by a spambot that inserts malicious code. Heck I wouldn't want my login information to be sniffed by my own network administrators - and yes, they do that.

If SSL is available to protect sensitive content from prying eyes, then why not add that capibility for logins and registrations without having to wrap the entire board in SSL? That way you, and your forum's users (particularly the 'paranoid' ones), will be more content that their login information is less vulnerable to packet sniffers, and your board will still perform well because only the sensitive content will be secured via SSL.

And by the way, you bet I secure my email via SSL. I wouldn't have it any other way!

User avatar
stevemaury
Support Team Member
Support Team Member
Posts: 50812
Joined: Thu Nov 02, 2006 12:21 am
Location: The U.P.
Name: Steve
Contact:

Re: Secure Login

Post by stevemaury » Mon Sep 29, 2008 5:43 pm

Moving to discussion at this point.
For REALLY good and VERY inexpensive hosting CLICK HERE

I can stop all your spam. I can upgrade or update your Board. PM or email me. (Paid support)

User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Re: Secure Login

Post by Techie-Micheal » Mon Sep 29, 2008 6:03 pm

sysdev wrote:SMF has a mod for it. Many CMS platforms have secure login capabilities as well.
It is possible to do this with phpBB3 without a MOD, but as explained, it would be for the entire site. I don't know of anybody that has done this for just login and registration though. Why not make it the whole thing?
I don't think it's an unreasonable or 'paranoid' question or request - especially in this day and age where identity theft is as prevailent as it is. I wouldn't want my admin login to be packet-sniffed and then my board be hacked by a spambot that inserts malicious code. Heck I wouldn't want my login information to be sniffed by my own network administrators - and yes, they do that.
It has been explained many times to Robert that people have their reasons for wanting SSL on their board (otherwise it wouldn't be offered as a feature ...) and he shouldn't try to talk them out of it, so don't mind him. :)
If SSL is available to protect sensitive content from prying eyes, then why not add that capibility for logins and registrations without having to wrap the entire board in SSL? That way you, and your forum's users (particularly the 'paranoid' ones), will be more content that their login information is less vulnerable to packet sniffers, and your board will still perform well because only the sensitive content will be secured via SSL.
Unless you can find a MOD, or someone willing to write such a MOD (I don't think it'd be that difficult, but then you run in to potential cookie issues), this would be a feature request for the devs. :)
And by the way, you bet I secure my email via SSL. I wouldn't have it any other way!
Which is why Google's gmail requires ssl connections to their SMTP and POP3/IMAP services. Many people do that.
Proven Offensive Security Expertise. OSCP - GXPN

User avatar
DarkGod
I've Been Banned!
Posts: 221
Joined: Thu Jan 06, 2005 9:16 pm

Re: Secure Login

Post by DarkGod » Mon Sep 29, 2008 6:34 pm

So directing members to forums starting with https instead of http add more security for them when logging in?

Post Reply

Return to “phpBB Discussion”