I do all the administrator (mt.cgi) work over SSL, and that all works fine. However, when commenting on a post the sign-in does *not* use SSL, and I've been unable to get it working. If you change the mt.js script to use https, it signs on and works, but when returning to the page to comment it still says "logon to comment".
I'm guessing it's a cookie issue, as the cookies are sent on an SSL connection, but the page is not. I tried accessing the entry using SSL thinking that would help, but it doesn't. The cookies are set (commenter_id, etc), and the "use only on secure connection", but returning to the SSL entry page it still says not signed in.
Any ideas on how to have the comment sign-on work using SSL?
Using http clear text works fine, but sending passwords in clear-text doesn't seem like a good idea.
Reported on Movable Type 4.3
I've never heard any complaint with the movable type users login details being provided on the sign in box in over 300 projects, some of them with tens of thousands of user accounts.
Based on the same logic, we shouldn't use most of the services we're using now, because they are not behind SSL, isn't it?
Well, if you really want to do that, you may like to still look into the javascript template. There is the cookie that is set for the user login session.
Kind Regards,
Mihai Bocsaru
----------------------------------
Daily Movable Type Consultant
Web Development
Movable Type Consulting
Six Apart Partner
http://www.pro-it-service.com/
----------------------------------
Movable Type Demo
http://www.movabletypedemo.org/
----------------------------------
Open Melody Demo
http://www.openmelodydemo.org/
Yeah, I've been hacking the mt.js template — several places it uses , and I think that could be changed to (or a relative url), and a few other changes.
Then the main comment template needs a change so the generated HTML pages don't reference http://example.com/cgi-bin/mt/comments.cgi but a relative reference to /cgi-bin.mt/comments.cgi so it would work on http or https.
I'm getting closer, but I've started using the reply function in the admin area, since I'm the only person with a sign-on -- all other commenters post anonymous.
As to SSL, I don't see a reason to *EVER* use sign-ons without it. I know some think differently, but I'd never pass sign-on information unencrypted ... even on a blog.
I was hoping for an easier solution and that I missed something simple.
I find it very disappointing that there isn't more discussion on this topic.
My site gets about 1.5 million unique visitors and 4.5 million page views every month. Providing users with a secure means for login while keeping my site running efficiently over standard HTTP has been a desire of mine for several years now.
My experience is the same as dy's: when logging in using HTTPS but then returning to an HTTP page for commenting, the commenter credentials are missing as if the commenter did not login. This is obviously undesirable and a simple, straightforward solution is definitely needed for those of us who want it.
Running 4.38.