what's to stop a hacker from stealing the session, then going to the user profile page and looking at the password? Of course if you do pass the user to http from https, you can still require profile management go through https, or simply never print the password to the browser.
I personally wouldn't want to use a insecure site for anything with personal information. as others have said, you have to weigh the cost vs advantage of tight security. if you're prohibited by cost, ie paying for cert, and hardware, then you really don't have a choice. peter Durham David Cntr 805CSS/SCBE wrote: > > Like I said, you're session is open to snooping and hijacking, but your password is >not revealed. > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>