Open R2ZER0 opened 9 years ago
The site is mostly non cookie, so only https for /admin & when logged in (if that's possible?) would seem like a good way forward
Oh yeah that's a point, cookies are always sent if someone is logged in... hmm...
No, yeah that's a good suggestion actually.
It would still be possible to seperate secure.comp-soc.com and www.comp-soc.com, having www for regular pages, secure for pages that require being logged in or access to user info. Then, cookies would only be set and sent on the secure subdomain, where there is no chance of an unencrypted connection. Woot!
Reverting my previous policy of HTTPS everywhere, and automatically redirecting HTTP -> HTTPS, for two reasons: