@surfi2000 opened this Issue on December 15th 2014

It's currently possible to go to http://hostname.com which loads the login page. When users use this to log in, the username and password is transmitted in plaintext.

There should be an option in settings to force SSL for login which will redirect users to https://hostname.com.

It could be done at the web server level, however, this will prevent http websites to access http://hostname.com/piwik.js.

Proposed enhancement is a web redirect if the login page is accessed over http and secure HTTPS is enabled in the admin options.

@mattab commented on December 15th 2014 Owner
This Issue was closed on December 15th 2014
Powered by GitHub Issue Mirror