Auth security tweak

I’m working on improving some of the https-related security in Authl, in particular making it so that if a site is configured with https, then it’ll only send the security cookie over https. This reduces the chances of a certain kind of possible security issue, but it also means that if you normally access the site with http://beesbuzz.biz instead of https://beesbuzz.biz it’ll show you as being signed out, and if you click the “log in” link it’ll ask you to sign in again even if you were already signed in.

I have a fix for that in mind, but it might cause a potential redirection loop problem in some cases so I’m not going to implement it until I’ve determined the scope of the problem and figured out if I need further workarounds.

Update: Fix is implemented and being tested on this site. Authl and Publ updates pending other folks trying it out.

Comments

Before commenting, please read the comment policy.

Avatars provided via Libravatar