Hi, > Can't you just redirect http to https on the login page.... > > All other pages can be served normally either via HTTP or HTTPS, or > you can have the https version forward back to http....
If you're maintaining the user state via cookie or GET parameter session id, continuing without ssl encryption after login increases the probability of session highjacking since the session hash (wherever it is stored) can be spyed out by a "man in the middle" attack. I know this is really unlikely, but from our experience: if it can be done it will be done some day in the future. For this reason I really would recommend to stay ssl encrypted as long as the user is authenticated. HTH and best regards, Volker Goebbels -- Dr. Volker Göbbels Arachnion GmbH & Co. KG, Sandkaulbach 4, 52062 Aachen Geschäftsführer Dr. V. Göbbels, HR Aachen A 4674 http://www.arachnion.de, http://blog.arachnion.eu Mitglied im BVSI e.V & Business-Club Aachen Maastricht --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears?hl=en -~----------~----~----~----~------~----~------~--~---
