We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
    • 8168
    • 1,118 Posts
    I am building a new site with a members area and am using the Login extra - to allow members to login and access the members area. I am planning on having SSL on the domain name for added security - with SSL - how secure will the contents of the members area be? Any tips on making this as tight and secure as possible?

    P.S. Running Revo 2.3.1 and Login 1.9.0-pl


      • 8168
      • 1,118 Posts
      Anyone any thoughts on this???
      • There are so many aspects to "security" that it's hard to respond in any meaningful way. SSL itself may or may not be particularly useful unless it's properly understood and used.

        Basically SSL/SLT serves two purposes, one to validate the identity of the site being connected to, which requires a certificate, but who certifies the certificate? A lot of bad certificates have turned up over the years, and still are turning up from time to time.

        The other purpose is to encrypt the content being passed. The encryption part doesn't depend on a certificate, but browsers will throw up nasty warning dialogs if there isn't a "recognized" certificate attached, so it's generally not too useful to just use it for the encryption alone.

          Studying MODX in the desert - http://sottwell.com
          Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
          Join the Slack Community - http://modx.org
        • Internal MODX security is handled using PHP sessions, which are controlled by cookies. Like SSH, cookies may or may not be secure. By default, MODX does set its session cookies using "HttpOnly", although this is a system setting and can be turned off.

            Studying MODX in the desert - http://sottwell.com
            Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
            Join the Slack Community - http://modx.org
            • 3749
            • 24,544 Posts
            I think Login is fairly secure. The weak link, imo, is Register. I can't really describe the vulnerabilities without giving miscreants ideas, but I created Subscribe partly to avoid the issues with Register.

            That said, someone taking the trouble to exploit the Register snippet is a pretty low-probability event. There are much easier ways to break into sites these days, and since Register is mostly used for front-end users with limited rights, the payoff wouldn't be worth the effort.
              Did I help you? Buy me a beer
              Get my Book: MODX:The Official Guide
              MODX info for everyone: http://bobsguides.com/modx.html
              My MODX Extras
              Bob's Guides is now hosted at A2 MODX Hosting
              • 8168
              • 1,118 Posts
              Bob / Susan - thanks for your input here. Bob - I am not using the Register aspect of Login - The only way to create a new member is by being logged into the manager - so that should help make things as tight as poss I guess?

              Any tips of making things as secure as poss?
                • 36510
                • 10 Posts
                Not sure if this is really related, but I just had an issue with my base_url changing all the time.

                After taking a look at the config file I found this:

                $http_host= array_key_exists('HTTP_HOST', $_SERVER) ? $_SERVER['HTTP_HOST'] : 'my.site.com';

                For what I understand this isn't really save, but can be solved with SSL. It's also possible, that my webserver got hacked, I just changed it so it will be fix to my domain.

                Just wondering if someone else had a similar issue, have seen this previous post:
                http://forums.modx.com/thread/?thread=33408&page=1 [ed. note: sofasurfer.org last edited this post 9 years ago.]
                  Home is where the hard disk is:
                  • 8168
                  • 1,118 Posts
                  Hi sofasurfer - not really related no - Best to not cache your Base URL.