Talk:Server clustering improvements proposal
The problem with this setting is that it requires your whole site to be HTTPS, ie. wwwroot must begin with "https://". This doesn't allow for having only partly HTTPS, like can be done with the $CFG->loginhttps feature. Moodle can be informed if a page is HTTPS or not by checking for a header set by the SSL termination device. So, it should be an advanced configuration option to enter a HTTP header which, if present, indicates the page was accessed under HTTPS. This would allow for mixed HTTP/HTTPS site with a SSL proxy.
- Can you tell us more about the use case for a mixed environment like this? The more i've worked with $CFG->loginhttps, the more i've come to realise it isn't a great idea and fraught with peril. Edge cases (some random forgot-password page) and unsecured sessions (see also Firesheep) being the major security downsides. So i'd actually like to see us move away from supporting mixed environments like this (or at least not introduce another place for it) --Dan Poltawski (talk) 00:18, 11 July 2013 (WST)
- Mixing http and https makes https useless from the security standpoint, I do not think we should encourage it. The recommended way is to switch to https completely and enable "Secure cookies only" setting. Petr Škoda (škoďák) (talk) 15:59, 11 July 2013 (WST)