[ic] secure login

Grant interchange-users@icdevgroup.org
Wed Oct 30 16:03:03 2002


>> Dear ICDEVGROUP,
>>
>> Maybe this question has been asked before, but
>> I don't seem to find anything in the archives
>> nor can I remember it ever being asked, so here
>> it is:
>>
>> If IC is designed to provide secure pages, why
>> is the admin login page and its directories also
>> not a secure function?
>
>Just set the UI_SECURE variable to 1 and the admin stuff
>uses https:// too.
>
>Ciao
>     Racke

A little while back I asked a couple questions about the UI login and I
didn't get an answer.  I think I'll try again :)

The two cookies named MV_USERNAME and MV_PASSWORD are being set at my 4.8.6
UI login page after the username and password are entered there.  I'm hoping
to keep those cookies from being set there for three reasons:

1. There is no autologin feature for the UI so they're pointless as far as I
can tell.

2. When I browse my store's front-end, the error log becomes overrun with
"Denied attempted login with nonexistent user name 'myUIusername'" which
must be because the autologin feature on my store's front-end uses cookies
of the same name as those that were set at the UI login.

3. The cookies being set are explicitly NOT secure, and they contain the
extremelly sensitive UI username and password.  I would think that that
could be a major security issue.

Is there any way to disable those cookies from being set at the UI login?
Is this behavior the same in 4.9/5.0?

- Grant