View Single Post
Old 25 September 2019, 15:55   #12
Registered User

Join Date: Jul 2018
Location: Londonish / UK
Posts: 489
Originally Posted by Photon View Post
https doesn't matter for pages that don't pass credentials over the connection.

If a website has a user login, it should be over a secure connection.

Some phpBB versions, even old ones, do have login on a separate https page. If there's a setting for such in this version, it would be good to turn it on.
It can get more subtle than this though, if session cookies are passed back over HTTP then it's possible to snoop them to impersonate the user even though the login might have been over HTTPS, for instance.
deimos is offline  
Page generated in 0.04503 seconds with 11 queries