When at https://forum.lowyat.net/, replying takes us outside of the HTTPS session.

The code that does that is:


Would somebody fix this, please? With sugar and strawberry on top?

The new feature seems to be working well. Tested the posting and search issues.

There's a minor problem when you're in HTTP and then you try posting or searching with the HTTPS option checked, the forum will send you back to the index page. But it works fine if you're already browsing in HTTPS.

Thanks a lot wKkaY!

---

Added on August 6, 2011, 11:57 pmOh, I hadn't realised one problem then. If our bookmarks were pointing at HTTPS but our Board Settings had HTTPS off, we would silently get redirected to HTTP.

I think this behaviour isn't optimal, because the user must know of the HTTPS option. Once your announcement expires or if people never read it (like first time visitors in 2012), they won't be able to use the forum's HTTPS option. It would be much better to default to an "Auto" option, where the forum doesn't care whether you use HTTP or HTTPS.

This post has been edited by everling: Aug 6 2011, 11:57 PM

Iianm, that icon only appears if there are unencrypted content on the page that you're viewing. Was it Chrome? The other browser vendors use different and less disturbing or troubling methods to indicate unencrypted content.

Unencrypted content in your encrypted HTML page is an impossible problem to solve for a forum if you want to allow your users to use external images that comes from sites without HTTPS (eg: signature images, photographs, hardware charts, etc) or don't have the technical expertise to know that they need to use HTTPS sources instead of unencrypted sources.

I don't understand why it is that way. HTTPS secured JavaScript scripts can still be super evil and malicious scripts.

wKkaY, perhaps you could make it green for the login page? I don't see why there should be external advertisement links for the login page. It would certainly help prevent eavesdroppers from getting to our passwords.

And you probably should also default the login page to HTTPS.

Also, if you were logged out and wanted to reply or edit your post, the login page there does not use HTTPS for the "action".

This post has been edited by everling: Aug 9 2011, 10:41 AM