Secure Login

DimitrisK · Post by **DimitrisK** » Thu Sep 18, 2008 8:20 pm

Hi Folks,
How can I create a secure login? Basically, I have a security certificate installed and want to be able to have all the users use the secure connection only when they try to login or register. Is this possible w/this board?

If this is possible, do I need some kind of .htaccess file to redirect them to the right URL e.g.
the site is http://mysite.com/forum and my certificate is for http://www.mysite.com. It needs the "www" to get the nifty little lock.

Anyway, thanks for any help in advance. I've looked all over the forum and Google but can't find a solution to this.

Lumpy Burgertushie · Post by **Lumpy Burgertushie** » Thu Sep 18, 2008 10:07 pm

DimitrisK wrote:Hi Folks,
How can I create a secure login? Basically, I have a security certificate installed and want to be able to have all the users use the secure connection only when they try to login or register. Is this possible w/this board?

If this is possible, do I need some kind of .htaccess file to redirect them to the right URL e.g.
the site is http://mysite.com/forum and my certificate is for http://www.mysite.com. It needs the "www" to get the nifty little lock.

Anyway, thanks for any help in advance. I've looked all over the forum and Google but can't find a solution to this.

this is not going to be easy at all unless you put the whole site under your SSL

which means that your url would be:
https://whatever.com

by the way, you will not gain anything by doing this .

robert

DimitrisK · Post by **DimitrisK** » Thu Sep 18, 2008 10:43 pm

Thanks for the reply. Why do you say I wouldn't gain anything? Isn't it always better to have a secure login?

Post by **stevemaury** » Thu Sep 18, 2008 10:45 pm

The login is secure. Do a search on this board to see how many people have had passwords intercepted. Or don't, because there are none.

DimitrisK · Post by **DimitrisK** » Thu Sep 18, 2008 11:27 pm

Ok, So I guess there's no way to do what I want then?

Post by **stevemaury** » Thu Sep 18, 2008 11:33 pm

Yes, there's a way. Make the board an https site. You will have to change the cookie_secure setting to 1 in the database as well as creating a secure site.

It's just really not worth the trouble.

DimitrisK · Post by **DimitrisK** » Thu Sep 18, 2008 11:47 pm

Thanks for the reply, bro. Why isn't it worth it?

Post by **stevemaury** » Thu Sep 18, 2008 11:56 pm

Because it is a job to set it up, it slows things down, and it has no real security advantages. Guys that sniff packets do it for credit card numbers and such, not so they can get on a board they can register for anyway.

DimitrisK · Post by **DimitrisK** » Fri Sep 19, 2008 12:04 am

At this point, I'm going to leave this topic alone, even though I don't agree w/the there not being any advantages to a secure connection. It just sounds like it's going to be a lot of work and at this point I can't spare any more hours.

Thanks again

Post by **stevemaury** » Fri Sep 19, 2008 12:07 am

Do as you wish, don't let us stop you. But this goes beyond basic phpbb support so if you decide to do it, you will have to ask your host, or someplace that knows how to set up secure sites.

Lumpy Burgertushie · Post by **Lumpy Burgertushie** » Fri Sep 19, 2008 1:46 am

I think maybe you are a bit paranoid or just don't understand how this stuff works very well.
When you log in to your ftp or when you log into your cpanel or when you log on to your computer, do you have all of that being encrypted via SSL or anything else?

I don't think so. Your email is not encrypted when you log on to check it, etc. etc.

order forms, financial info, etc. those are the things that are sent via a secure connection SSL.

first, why would anyone care to try and snatch a login to your board?
are you discussing state secrets in private forums or something?

second, in order for someone to be able to "sniff" out a login to your board, they would have to be within a certain distance of the person who was logging in, and have the correct equipment and software to be able to do it and be monitoring that person all the time to be able to catch it.

if you need to protect against that type of possibility, then you probably should not be trying to use a normal web based open source type of software as phpbb.

sysdev · Post by **sysdev** » Mon Sep 29, 2008 5:40 pm

SMF has a mod for it. Many CMS platforms have secure login capabilities as well.

I don't think it's an unreasonable or 'paranoid' question or request - especially in this day and age where identity theft is as prevailent as it is. I wouldn't want my admin login to be packet-sniffed and then my board be hacked by a spambot that inserts malicious code. Heck I wouldn't want my login information to be sniffed by my own network administrators - and yes, they do that.

If SSL is available to protect sensitive content from prying eyes, then why not add that capibility for logins and registrations without having to wrap the entire board in SSL? That way you, and your forum's users (particularly the 'paranoid' ones), will be more content that their login information is less vulnerable to packet sniffers, and your board will still perform well because only the sensitive content will be secured via SSL.

And by the way, you bet I secure my email via SSL. I wouldn't have it any other way!

Post by **stevemaury** » Mon Sep 29, 2008 5:43 pm

Moving to discussion at this point.

Techie-Micheal · Post by **Techie-Micheal** » Mon Sep 29, 2008 6:03 pm

sysdev wrote:SMF has a mod for it. Many CMS platforms have secure login capabilities as well.

It is possible to do this with phpBB3 without a MOD, but as explained, it would be for the entire site. I don't know of anybody that has done this for just login and registration though. Why not make it the whole thing?

I don't think it's an unreasonable or 'paranoid' question or request - especially in this day and age where identity theft is as prevailent as it is. I wouldn't want my admin login to be packet-sniffed and then my board be hacked by a spambot that inserts malicious code. Heck I wouldn't want my login information to be sniffed by my own network administrators - and yes, they do that.

It has been explained many times to Robert that people have their reasons for wanting SSL on their board (otherwise it wouldn't be offered as a feature ...) and he shouldn't try to talk them out of it, so don't mind him.

If SSL is available to protect sensitive content from prying eyes, then why not add that capibility for logins and registrations without having to wrap the entire board in SSL? That way you, and your forum's users (particularly the 'paranoid' ones), will be more content that their login information is less vulnerable to packet sniffers, and your board will still perform well because only the sensitive content will be secured via SSL.

Unless you can find a MOD, or someone willing to write such a MOD (I don't think it'd be that difficult, but then you run in to potential cookie issues), this would be a feature request for the devs.

And by the way, you bet I secure my email via SSL. I wouldn't have it any other way!

Which is why Google's gmail requires ssl connections to their SMTP and POP3/IMAP services. Many people do that.

DarkGod · Post by **DarkGod** » Mon Sep 29, 2008 6:34 pm

So directing members to forums starting with https instead of http add more security for them when logging in?

advertisements