On Fri, Oct 29, 2010 at 4:23 PM, Lon Koenig <l...@schnoggo.com> wrote: > Are these susceptible to the cleartext cookie silliness exposed by FireSheep?
Well, Apache::Session doesn't handle cookies at all, so it's entirely up to you how you want to deal with it, and CGI::Session doesn't dictate whether or not your site uses SSL, so that is also up to you. There is no way to prevent people from potentially seeing cookies (or anything else) passed over a non-SSL network. Sites that are seriously concerned about this should use SSL. Even sites that don't use SSL should use cookies with some form of MAC and a reasonable session timeout. - Perrin
