Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Drop login-over-https feature #5729
Current available setting is login-over-https:
I'm personally in favor of dropping login-over-https support completely and forcing admins to go all or nothing.
See #4693. Our current implementation is providing near 0 benefit because of this. Fixing it will be complex. Much easier to just set your site root to https.
Also, the logic for https login is duplicated in a few places. If you spit out your own login form, you have to remember to respect the setting, etc.
Is the overhead you're concerned about just the additional CPU required for encryption?
Concerns as I understand them:
I can do more testing in this area.
(*aside: I turned on Apache's mod_cache and it delivers quite a dramatic boost. We should recommend all Apache users use it as it's trivial to enable.)
referenced this issue
May 27, 2014
We never use https over logon only. Only full https. Using it only on login is just solving it for a single page. There are more pages, like change password, or settings that could benefit from SSL to protect your credentials.
So i agree with Evan to remove this.
On Fri, Oct 17, 2014 at 6:32 AM, Jeroen Dalsem email@example.com