On Wed, Jun 15, 2011 at 5:40 AM, Chris Seberino wrote:
>
> On Jun 14, 10:47 am, Tom Evans wrote:
>> Yes, of course it is - HTTP is stateless, so how else would sessions
>> work if the session id is not transmitted back to the server by the
>> browser?
>
> I agree. Yet, eBay, Google Groups & Goda
They should be worried. But the session id is not the credentials. So it is
probably argued that it is secure enough.
However, you should google firesheep. That is a browser add-on which can hijack
non-SSL sessions over unsecured wireless.
Mike
On 15/06/2011, at 2:40 PM, Chris Seberino wro
On Jun 14, 10:47 am, Tom Evans wrote:
> Yes, of course it is - HTTP is stateless, so how else would sessions
> work if the session id is not transmitted back to the server by the
> browser?
I agree. Yet, eBay, Google Groups & Godaddy drop down to HTTP after
login.
Why aren't they worred?
cs
-
On Tue, Jun 14, 2011 at 4:39 PM, Chris Seberino wrote:
> I have Apache in front of my Django app. It forces login pages to use
> HTTPS but then forces rest of pages to only use HTTP.
>
> Is client browser sending sensitive login or session info in the clear
> when I am not using HTTPS?
>
Yes, of
I have Apache in front of my Django app. It forces login pages to use
HTTPS but then forces rest of pages to only use HTTP.
Is client browser sending sensitive login or session info in the clear
when I am not using HTTPS?
My nonencrypted pages don't present or ask for sensitive info. The
only d
5 matches
Mail list logo
