ℹ️
Welcome to the archive of the old FlatPress support forum. Browse more than a decade of FlatPress wisdom! Login is disabled.

The current FlatPress support forum is available here: forum.flatpress.org
Secure login and administration/editing?
  • Salvete! First of all - i like flatpress, since it's (in a way, that is) a true heir of good ol'e bloxsom. fp .909 is great - again. But one thing puzzles me: I have grep'ed through all the code and read most of the include stuff, but I found no option nor whatsoever other mechanism implemented or described (how) to secure login and administration/editing sessions. Could this be true? Since the philosophy behind flatpress doesn't seem to be as simple as behind blosxom (simple text-file-editing could there be done via ssh/ldap over ssl) i.e. since flatpress's master tool for blogging seems to be the editing screen in the admin section, this is rather critical in my eyes. Did I miss something? Agreed. I could "easily" setup a second (virtual) ssl secured host, to rewrite login.php and the admin.php?$ parts to via mod_rewrite etc., but this is not an option, when there is just a default hosting package with "ssl: generally supported". *sigh* Again agreed. It won't solve everything (man-in-the-middle attacks, x-site-scripting to name a few). But it would be a lot harder for $evil_guys to spy session-data or intercept. Especially when you (had to) cancel a session, that you didn't log out from. Please give me some hints on this /* = things I missed, future plans, how to calm down myself to plain ignorance, $whatever */. Many thanks for all you did so far, Eduardo. Kudos! bene valete!
  • unfortunately you are right, as a simple drop-on-the-server solution there aren't measures to use strong encryption such as TLS out of the box. Really, if you connect through an HTTPS connection (if your server is capable) AFAIK https:// URLs should work. So you'd just have to go to https://mysite/flatpress/login.php and go on from there. I've never tried but I guess it should work, let me know.
  • Sorry for answering that late. Adding a second virtual host for https/port 443 works just fine with the general certificate. (Of course one could use a dedicated cert as well.) No need for special rules/redirects etc. So this thread was "a solution in search of a problem". Again: sorry.
  • glad to hear that it works for you :o)
This discussion has been closed.
All Discussions
Start a New Discussion

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion