On Jun 13, 4:43 pm, Michael Orlitzky <mich...@orlitzky.com> wrote: > I don't know if there's a way to allow this, but why would you want to? > When you log in -- presumably, over SSL, because you want to protect > your password -- your browser is sent a session cookie that it uses to > identify you in the future. > > If you switch to plain HTTP in the same session, your password won't be > sent in plain text, but the session cookie will be, and that's almost as > bad: an attacker can pretend he's you until you log out. > > You could do a delicate dance to try to ensure that only "unprivileged" > data is sent across the plain-HTTP channel; but again, why? And is it > worth the time it would take to implement it and the associated security > risk?
Michael Speed is one reason someone may want to only do the login with SSL. I just checked and when I log into PayPal, it stays in SSL mode. However, when I log into eBay, it jumps OUT of SSL mode. Godaddy seems to do some pages with SSL and some without SSL. Whenever these sites drop down to unencrypted, aren't they also insecure since eBay and Godaddy are sending cookies in the clear? Sincerely, Chris Seberino -- To post to this group, send email to sage-support@googlegroups.com To unsubscribe from this group, send email to sage-support+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/sage-support URL: http://www.sagemath.org
