Re: [Savannah-hackers-public] "Stay in secure (https) mode after login"

[Assaf Gordon]

Hello,

> On Mar 14, 2017, at 16:34, Leo Famulari <address@hidden> wrote:
> 
>> The Savannah login page includes a checkbox that reads "Stay in secure
>> (https) mode after login".
>> 
>> [...]So I'm wondering, what does that checkbox do?

> http://lists.gnu.org/archive/html/savannah-hackers-public/2016-10/msg00002.html

Indeed, forcing HTTPS on login-related pages is a recent improvements.

Thanks for taking the time to check the mailing and look for past discussions - 
much appreciated.

>> While logged in, I manually entered the HTTP URL and was still able to
>> access the administration interface for a group that I administer over
>> the unauthenticated connection.

There is an on-going discussion about forcing HTTPS everywhere on savannah.

Can you provide a specific example of a URL you can access in HTTP,
and it allows you to make changes (I don't doubt it's possible, just need a 
pointer
to ease testing).

regards,
 - assaf