Hi TUs, the AUR still handles user logins and sessions in a insecure way that can easily be exploited. The last approach to use https by default was denied a long time ago. But I hope you guys will reconsider this decision. To prevent session hijacking, mtm attacks or whatnot I'd recommend the following: * Redirect all http traffic to https by default * Set session.cookie_secure = 1 in your php.ini * If you use setcookie() make sure to set the secure parameter to true * If you don't require any javascript to access your session data it's also a good idea to set all cookie to httponly (again via php.ini and if you use setcookie() directly) The optional https access as we have now wont work here. Even if you never forget to add the s to http when you login session data is also transferred via http. So once you click a non-https link to the AUR it would be possible for an attacker to hijack your session. Greetings, Pierre -- Pierre Schmitz, https://users.archlinux.de/~pierre