On 2009-11-25 at 17:11:59 [+0100], Jorge G. Mare <koki@xxxxxxxxxxxxx> wrote: > Oliver Tappe wrote: > > 2. Using both the 'secure pages' and the 'secure pages hijack prevention' > > module to switch the vulnerable pages (login, edit-profile, ...) over to > > https. > > > > FWIW, I use this method in one of my customer's site, and it is easy to > setup and works as expected. TBH, I don't know about the load increase > that this method introduces, but that is because the site I use it in > has very low traffic. Traffic on the Haiku website does get pretty high > at times, but it tends to be mostly anonynous traffic (so maybe it does > not matter?). Yeah, anonymous traffic shouldn't matter - and, actually I think we can forget about the load increase that the encryption will cause, after all: baron's CPUs are mostly idling, anyway. Then I shouldn't have mentioned it in the first place, I know ;-) > Don't know about the other methods, so can't comment. What I would not > like to see gone or replaced is the new user registration page, as we > may use it to capture more user information than we do now in the future. Acknowledged - but I doubt the registration page would be influenced by any of the methods. Http-digest-auth would only need to override the login page (i.e. replace it with the browser popup). cheers, Oliver ----------------------------------------------------------------------- haiku-web@xxxxxxxxxxxxx - Haiku Web & Developer Support Discussion List