On 06/12/11 20:56, Chris Seberino wrote:
Is it correct that if one uses SSL for a notebook server than ALL the
pages MUST be under SSL?
The reason I'm asking is that the notebook server appears unable to
handle Apache configs that try to switch from SSL to unencrypted after
login.
In other words, notebook is brittle when it comes to attempts to do
anything fancy with Apache.
I don't know if there's a way to allow this, but why would you want to?
When you log in -- presumably, over SSL, because you want to protect
your password -- your browser is sent a session cookie that it uses to
identify you in the future.
If you switch to plain HTTP in the same session, your password won't be
sent in plain text, but the session cookie will be, and that's almost as
bad: an attacker can pretend he's you until you log out.
You could do a delicate dance to try to ensure that only unprivileged
data is sent across the plain-HTTP channel; but again, why? And is it
worth the time it would take to implement it and the associated security
risk?
--
To post to this group, send email to sage-support@googlegroups.com
To unsubscribe from this group, send email to
sage-support+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/sage-support
URL: http://www.sagemath.org
