On Thu, Apr 22, 2010 at 1:38 PM, Nicholas Sherlock <n.sherlock@xxxxxxxxx> wrote: > On 22/04/2010 5:29 p.m., Krist van Besien wrote: >> >> Just consider the following: >> - You direct a user to a login form. He enters username and password, >> gets authenticated and receives a session cookie from the server. >> - This session cookie is sent with each subsequent request, so that >> the requests can be associated with an authenticated user. >> - Someone intercepts this cookie by eavesdropping on the line. With >> this cookie this person can now impersonate the user without knowing >> the user's username or password... > > Very true. However, it does protect the user's username and password. A > large proportion of users use the same password for everything online. You > don't want a login sniffed from your site to be used to breach the user's > bank account. There is in my opinion no good reason not to have https for the whole session. The "performance" argument doesn't really apply anymore in a time that you can buy several webservers for the cost of employing one webserver specialist for a day... Krist -- krist.vanbesien@xxxxxxxxx krist@xxxxxxxxxxxxx Bremgarten b. Bern, Switzerland -- A: It reverses the normal flow of conversation. Q: What's wrong with top-posting? A: Top-posting. Q: What's the biggest scourge on plain text email discussions? --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|