They should be worried. But the session id is not the credentials. So it is probably argued that it is secure enough.
However, you should google firesheep. That is a browser add-on which can hijack non-SSL sessions over unsecured wireless. Mike On 15/06/2011, at 2:40 PM, Chris Seberino <cseber...@gmail.com> wrote: > > On Jun 14, 10:47 am, Tom Evans <tevans...@googlemail.com> wrote: >> Yes, of course it is - HTTP is stateless, so how else would sessions >> work if the session id is not transmitted back to the server by the >> browser? > > I agree. Yet, eBay, Google Groups & Godaddy drop down to HTTP after > login. > Why aren't they worred? > > cs > > -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To post to this group, send email to django-users@googlegroups.com. > To unsubscribe from this group, send email to > django-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/django-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.