Opened 8 years ago

Closed 8 years ago

#1772 closed task (fixed)

Password reset link is not https

Reported by: wildintellect Owned by: sac@…
Priority: major Milestone:
Component: SysAdmin Keywords:
Cc:

Description

Password reset links emailed to users need to be https only.

Change History (1)

comment:1 by strk, 8 years ago

Resolution: fixed
Status: newclosed

The password reset link in the mail is currently http or https depending on the scheme used to request the reset link. Basically the script sends a link to self (SCRIPT_URI).

I've now forced the reset link to be https no matter access schema See commit e2bfe459f38fafb594194e5546f57a7963ea1849 in the cgi-bin dir.

It would be a good idea, in general, to redirect http to https for the userid related scripts at the Apache level.

Note: See TracTickets for help on using tickets.