On Wed, Feb 13, 2013 at 11:18:27PM +0100, Patrick Uiterwijk wrote: > Stealing a cookie would still be possible indeed, but that's also not induced > by the use of OpenID, just (again) because the cookie is sent in the clear. > I agree here. But this does mean that trac should still be accessed via ssl. There's no way around that unless the application itself (trac) didn't rely on its own session cookie. -Toshio
Attachment:
pgpP6KuKecYQO.pgp
Description: PGP signature
_______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
