Quote:
Originally Posted by Photon
https doesn't matter for pages that don't pass credentials over the connection.
If a website has a user login, it should be over a secure connection.
Some phpBB versions, even old ones, do have login on a separate https page. If there's a setting for such in this version, it would be good to turn it on.
|
It can get more subtle than this though, if session cookies are passed back over HTTP then it's possible to snoop them to impersonate the user even though the login might have been over HTTPS, for instance.