The login page should redirect the user to the https url if it isn't already using https. This way, the user can't accidentally send their password in cleartext. It should be possible to disable this for development, since setting up https with the local webserver and getting browsers to trust it is a little awkward.
The login page should redirect the user to the https url if it isn't already using https. This way, the user can't accidentally send their password in cleartext. It should be possible to disable this for development, since setting up https with the local webserver and getting browsers to trust it is a little awkward.