On March 26, 2019 we launched new MODX Forums. Please join us at the new MODX Community Forums.
Subscribe: RSS
  • I am building a new site with a members area and am using the Login extra - to allow members to login and access the members area. I am planning on having SSL on the domain name for added security - with SSL - how secure will the contents of the members area be? Any tips on making this as tight and secure as possible?

    P.S. Running Revo 2.3.1 and Login 1.9.0-pl

    Cheers

    dubbs.
    • Anyone any thoughts on this???
      • There are so many aspects to "security" that it's hard to respond in any meaningful way. SSL itself may or may not be particularly useful unless it's properly understood and used.

        Basically SSL/SLT serves two purposes, one to validate the identity of the site being connected to, which requires a certificate, but who certifies the certificate? A lot of bad certificates have turned up over the years, and still are turning up from time to time.

        The other purpose is to encrypt the content being passed. The encryption part doesn't depend on a certificate, but browsers will throw up nasty warning dialogs if there isn't a "recognized" certificate attached, so it's generally not too useful to just use it for the encryption alone.

        https://scotthelme.co.uk/ssl-does-not-make-site-secure/
          Studying MODX in the desert - http://sottwell.com
          Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
          Join the Slack Community - http://modx.org
        • Internal MODX security is handled using PHP sessions, which are controlled by cookies. Like SSH, cookies may or may not be secure. By default, MODX does set its session cookies using "HttpOnly", although this is a system setting and can be turned off.

          http://www.troyhunt.com/2013/03/c-is-for-cookie-h-is-for-hacker.html
            Studying MODX in the desert - http://sottwell.com
            Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
            Join the Slack Community - http://modx.org
          • I think Login is fairly secure. The weak link, imo, is Register. I can't really describe the vulnerabilities without giving miscreants ideas, but I created Subscribe partly to avoid the issues with Register.

            That said, someone taking the trouble to exploit the Register snippet is a pretty low-probability event. There are much easier ways to break into sites these days, and since Register is mostly used for front-end users with limited rights, the payoff wouldn't be worth the effort.
              Did I help you? Buy me a beer
              Get my Book: MODX:The Official Guide
              MODX info for everyone: http://bobsguides.com/modx.html
              My MODX Extras
              Bob's Guides is now hosted at A2 MODX Hosting
            • Bob / Susan - thanks for your input here. Bob - I am not using the Register aspect of Login - The only way to create a new member is by being logged into the manager - so that should help make things as tight as poss I guess?

              Any tips of making things as secure as poss?
              • Not sure if this is really related, but I just had an issue with my base_url changing all the time.

                After taking a look at the config file I found this:

                        
                $http_host= array_key_exists('HTTP_HOST', $_SERVER) ? $_SERVER['HTTP_HOST'] : 'my.site.com';
                


                For what I understand this isn't really save, but can be solved with SSL. It's also possible, that my webserver got hacked, I just changed it so it will be fix to my domain.

                Just wondering if someone else had a similar issue, have seen this previous post:
                http://forums.modx.com/thread/?thread=33408&page=1 [ed. note: sofasurfer.org last edited this post 4 years, 5 months ago.]
                  Home is where the hard disk is:
                  http://sofasurfer.org
                • Hi sofasurfer - not really related no - Best to not cache your Base URL.