SSL Login

Author Message

Yannick Koehler

Friday 04 April 2003 12:19:06 pm

I have a web hosting service that will provide me a proper SSL login secure with the correct SSL certificate sign with proper authority except that the domain name is different.

my site

http://ezpublish.mysite.com/index.php/user

my ssl secure login site

https://businessx.secure.com/mysite/index.php/user

Does ezpublish support this kind of scenario? What I'd like is for ezpublish to post the login form to the secure URL and once confirmed the identification that it return to the non-secure version for normal usage.

I would need such trick to occurs as well for password changing.

Any help would be appreciated, I'm a complete newbie for ezPublish and I'm investigating how easy it would be to move my own CMS to this one as it is more a framework and I like the idea.

Yannick Koehler
ykoehler@hotmail.com

Volker Lenz

Sunday 06 April 2003 3:20:10 am

If the content you offer is not worth SSL, why then making a big razzmatazz about encrypted user registration? This is nothing but fooling users. I dislike sites where you start with https just to be slightly redirected to http after login. If there is no content to protect, I recommend that you go the gmx-way of open registration with email adresses. This is very easy to accomplish with ezp3.
On the other hand, if you want to provide serious SSL sessions, the main piece of work is to create a good web server configuration with appropriate rewrite rules the redirection purposes as needed. Within ezp3, you may associate your content and site access with SSL-sessions or not as you like.

My site www.leportal.net is build that way (ezp3 + 1 public + 2 SSL-site access modes on a single ezp3 instance. Not much stuff inside yet, but it works as you would expect.

Regards

Volker

 

Kai Duebbert

Sunday 06 April 2003 10:37:08 pm

well, the obvious advantage of having an ssl login page is that you don't send the password unencrypted. Makes a lot of sense in my eyes. (One security hole less, always good.)

(sorry, can't answer the original question.)

Yannick Koehler

Tuesday 08 April 2003 11:25:21 am

Hi Volker,

>SSL-Login ? Possible, but what is it good for ...

To protect user's password and personal information. Many users re-use their password on several sites some of them using simple HTTP. This is a very highly security problem. While I personnaly can't force the user to use a different password I can at least attempt to minimize the impact of such insecure behavior by reducing the amount of public awareness of this piece of information. If I do so, maybe other site will also get the idea and support proper secure authentication scheme and will reduce the amount of identity theft going on.

> This is nothing but fooling users.

I disagree with you here. I believe that the password is transmitted securely between the home user and the site. It surely doesn't say that at the site only my script will get it but at least it reduce the possibilities. It also ensure that brothers and sisters who on community site may be interested in hacking access and posting stuff under other name won't be able to do so on the site without more thinking on their side.

>I recommend that you go the gmx-way of open registration
>with email adresses. This is very easy to accomplish with
>ezp3.

Hmm, maybe but people do not like to be enforced a certain password and are more likely to never come back to my site which is in the opposite direction of my goals. Also the idea of using an identity and password is to allow a more personal approach and if that identity is not strong then there's no real point in having it at all which again is not going toward my goals for my site.

There is also the part about providing the email address. Many site take this information as granted while many users are starting to be annoyed with spam and stop wanting to provide that piece of information. One of my goal is to go back in time where web site didn't require email addresses.

> On the other hand, if you want to provide serious SSL
> sessions, the main piece of work is to create a good web
> server configuration with appropriate rewrite rules the
> redirection purposes as needed. Within ezp3, you may
> associate your content and site access with SSL-sessions or
> not as you like.

Unfortunately, at the current time, I am not fortunate enough to own my web server/permanent connection or to have access as I wish to all its configuration. The scenario I described is the one I have to live with at the moment and I would appreciate help that support the scenario and not ask to change it, unless a hosting service allowing me such support be provided as well at the same cost as my current one 9$US a month, as I don't have that control at the present host.

Sincerely,

Yannick Koehler
ykoehler@hotmail.com

Powered by eZ Publish™ CMS Open Source Web Content Management. Copyright © 1999-2014 eZ Systems AS (except where otherwise noted). All rights reserved.