search

elfuchsjekyll / vosao

Automatically exported from code.google.com/p/vosao
0 stars 0 forks source link

HTTPS (SSL encryption) for login and registration forms #147

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
It would be fine if the default /cms login page would check if the users 
credentials are only submitted via an SSL encrypted connection.

I would suggest to automatically switch to "https://$config.siteDomain/cms" 
if /cms is called.

The same procedure should be used for the new registration form.

Original issue reported on code.google.com by mithan...@gmail.com on 8 Mar 2010 at 10:44

GoogleCodeExporter commented 9 years ago 
According to 
http://code.google.com/intl/en/appengine/docs/java/config/webxml.html#Secure_URL
s

Note: Google Apps domains do not currently support HTTPS. HTTPS support is 
limited to 
apps accessed via *.appspot.com domains. Accessing an HTTPS URL on a Google 
Apps 
domain will return a "host not found" error, and accessing a URL whose handler 
only 
accepts HTTPS (see below) using HTTP will return an HTTP 403 "Forbidden" error. 
You 
can link to an HTTPS URL with the *.appspot.com domain for secure features, and 
use 
the Apps domain and HTTP for the rest of the site.

Original comment by kinyelo@gmail.com on 8 Mar 2010 at 6:38

GoogleCodeExporter commented 9 years ago 
OK, that could be a problem for sites using own domain names. I only tested 
HTTPS on 
an appspot.com domain.

Original comment by mithan...@gmail.com on 8 Mar 2010 at 11:12

GoogleCodeExporter commented 9 years ago 
Please just STOP creating custom user management solutions! Please spend your 
time on 
really nesessary topics.
All GAE apps should use built-in secure user management.

Original comment by a.kosenkov on 22 May 2010 at 8:50

GoogleCodeExporter commented 9 years ago 
> Please spend your time on really nesessary topics.

In my humble opinion, a volunteer open source project should be a safe place 
where
people can "scratch an itch". If someone has an "itch" for utilizing the 
built-in
secure user management, the project is open to patches and other contributions. 

 * http://www.vosao.org/developer#volunteering

> All GAE apps should use built-in secure user management.

Personally, I think its a good idea for GAE apps to offer alternatives. We use 
Google
Accounts to login into Google Sites work, and it is far from an ideal 
experience.
Moreover, a valid use of GAE is to bridge with pre-existing applications, which 
may
already have an authentication system. 

-Ted.

Original comment by ted.husted on 23 May 2010 at 2:13

GoogleCodeExporter commented 9 years ago

Original comment by kinyelo@gmail.com on 26 Jul 2010 at 4:35