View Single Post
Old 25 September 2019, 15:55   #12
deimos
Registered User

 
Join Date: Jul 2018
Location: Londonish / UK
Posts: 453
Quote:
Originally Posted by Photon View Post
https doesn't matter for pages that don't pass credentials over the connection.

If a website has a user login, it should be over a secure connection.

Some phpBB versions, even old ones, do have login on a separate https page. If there's a setting for such in this version, it would be good to turn it on.
It can get more subtle than this though, if session cookies are passed back over HTTP then it's possible to snoop them to impersonate the user even though the login might have been over HTTPS, for instance.
deimos is offline  
 
Page generated in 0.04134 seconds with 11 queries