On 22/04/2010 5:29 p.m., Krist van Besien wrote:
Just consider the following: - You direct a user to a login form. He enters username and password, gets authenticated and receives a session cookie from the server. - This session cookie is sent with each subsequent request, so that the requests can be associated with an authenticated user. - Someone intercepts this cookie by eavesdropping on the line. With this cookie this person can now impersonate the user without knowing the user's username or password...
Very true. However, it does protect the user's username and password. A large proportion of users use the same password for everything online. You don't want a login sniffed from your site to be used to breach the user's bank account.
Cheers, Nicholas Sherlock --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx