@codinghorror I see that Discourse now actually has a “
use_ssl” option, but it’s not entirely clear what this option does. My site works fine via HTTPS regardless of what this option is set to.
However, Discourse should definitely add an option for secure cookies. As it is now, I get an unsecure cookie when logging in via HTTPS. This means that any standard HTTP requests to the forum server will also include my session cookie. Thus, using HTTPS adds almost no protection against session hijacking.
Oh, and please don’t call it SSL
You probably know this, but the
use_ssl option is actually a bit of a misnomer. If you use HTTPS with a modern web browser and server, you’re not actually using SSL. You’re using [TLS].
I know it’s still called SSL in many places for legacy reasons (openssl, anyone?), but that is not techincally correct. And HTTPS is a more precise term anyways. We’re not using TLS/SSL for any old protocol. We’re discussing whether to encrypt our HTTP connections or not.
So pretty please, with sugar on top, can we call it
use_https instead? It would make us pedants sleep better at night
[TLS]: Transport Layer Security - Wikipedia