[ mailman-Patches-746728 ] ssl support for list administration
SourceForge.net
noreply at sourceforge.net
Mon May 10 15:47:43 EDT 2004
Patches item #746728, was opened at 2003-05-31 20:27
Message generated for change (Comment added) made by donnc
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=300103&aid=746728&group_id=103
Category: list administration
Group: Mailman 2.1
Status: Open
Resolution: None
Priority: 5
Submitted By: matze (indygena)
Assigned to: Nobody/Anonymous (nobody)
Summary: ssl support for list administration
Initial Comment:
adds ssl support for the administration interface. via
the boolean configuration parameter
DEFAULT_ADMIN_USE_SSL can be defined that the list
administration interface is accessed oven a ssl
encrypted connection
----------------------------------------------------------------------
Comment By: Donn Cave (donnc)
Date: 2004-05-10 19:47
Message:
Logged In: YES
user_id=42839
Would it make sense to add `secure' to the authentication
cookie? (c[key]['secure'] = 'ok', ca. line 243
SecurityManager.py.)
This instructs the browser to send the cookie to https only.
Otherwise it will send it for every URL at the site, including
but not limited to the admin pages.
I have done this at our site, for all cookie authentication. I
needed to modify the source a lot more, but I needed to do it
for the sake of our single login hacks. Even for the standard
release version, though, I believe it's a good idea. For one
thing, `user' passwords will frequently be identical to the
ones used for more sensitive authorization.
To make this work without requiring SSL even for listinfo, I
believe you have to make Utils.py recognize whether it's
already talking to an SSL user so that it can decide URLs (for
example to the archives) at run-time, but also give the
system a way to require some (like admin) to be https
anyway.
(Sorry to chime in so late, but from here it looks like this
hasn't gone very far anyway.)
----------------------------------------------------------------------
Comment By: Peer Heinlein (pheinlein)
Date: 2003-10-23 17:18
Message:
Logged In: YES
user_id=581680
It work`s well and should be included into the normal Mailman as
soon as possible.
But it would be better, if Mailman produces a HTTP 301 redirect to
https, if the admin login page is accessed via http instead of https.
That would take care of having no admin password transferred to
mailman without using an encrypted connection.
And -- this patch should procude a similar 301-redirect if
/mailman/create ist accessed via http. :-)
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=300103&aid=746728&group_id=103
More information about the Mailman-coders
mailing list