All pages taking in a username/password that could be an ACS account should go through an ssl (https) connection. Otherwise we are opening up their username/password to be sniffed. This could lead to personal information in ACS being obtained by a 3rd party who shouldn't have it.

Comments

esbon’s picture

esbon CreditAttribution: esbon commented

I am concerned about the same thing, but don't these modules solve the problem? Secure Pages and Secure Pages Hijack Prevention. We use these modules on an e commerce site with ubercart and never had any problems.

mfer, would these 2 modules be enough? Any other suggestions to secure logins? Thanks for developing the module!