MyBB Community Forums

Regardless of how many times we advise users not to, they often use the same password for multiple websites. This means that if someone catches your password even once, they can gain access to your entire online life. That's scary.

Securing an entire forum through SSL is usually unnecessary, but wherever passwords are required to be entered the use of Secure Socket Layer can deliver some piece of mind and show your member (and future members) that you give a damn about their privacy.

It would be incredibly handy if this was a available in the Admin section with a simple radio button, like: SSL on Login? Yes / No

The reason I believe this should be done through MyBB and not as a plugin is that plugins tend to fall behind with updates and become less dependable. Well, that and plugins can be submitted by anyone, and you never know if someone's actually harvesting passwords instead of helping to protect them. This would also be useful for people who operate both a forum and ecommerce website, as MyBB doesn't play well with integration at this time. This, in turn, causes members to sign up twice, once for the website and a second time for the forum. Chances are really strong that their password for both will be the same, which is a high security risk because their credit card information may be stored on the main website.

Just figured it was worth some consideration.

serve your website in https and use this http://wiki.apache.org/httpd/RewriteHTTPToHTTPS to redirect your users from http://myforums to https://myforums

Https doesn't encrypt the passwords stored in the database as much as we like to.. it's the users fault if they decide to get keylogged etc.

Https can be used already with mybb forums.

@Kickerbat: It's not an SSL's job to encrypt passwords in the database. Https is for encrypting sent information from Point A to Point B.

I'm aware that SSL can be used with MyBB, but that wasn't the point in the thread. I was looking for an easier way to use it for log in only; not the entire website. That's a waste and makes posting on a forum unnecessarily slow.

Happens that I managed to include my forum as an application tab inside my facebook page. In the process, I had to buy a SSL package from my provider because is required, by facebook, that all apps needs to have it.

So at this moment, after reading this thread, now I´m kinda involved too backing up on Joe´s suggestion, and I would like to hear a MyBB official reply about it so I´m subscribing to this thread.

Cheers all

(2012-09-05, 09:25 PM)Sammyed Wrote: [ -> ]I had to buy a SSL package from my provider because is required

and here lies the problem. most folks dont want to or cant afford to buy an SSL cert, so then what? well, they use the host's shared certificate.

okay fine. but then what? cookies are not cross-domain (well not supposed to be) and so logging in via the hosts shared cert URL will require a session parameter to be passed to the regular URL for the site and thus exchanged for a local cookie upon MyBB noticing a SID in the URL (or POST/GET).

not really hard to do, but its not simple change. even then, using SSL changes the cookie scope, so you still may need to transfer/exchange an SID.

In my case, I wanted https to be used for loggin in and also for logged users, as some people are very concerned about privacy on my forum.