[mod_python] Re: Question about Session security

Wouter van Marle wouter at squirrel-systems.com
Thu Jun 16 09:44:44 EDT 2005

On Thu, 2005-06-16 at 12:29 +0200, Stephane Bortzmeyer wrote:

> On Wed, Jun 15, 2005 at 01:36:22PM -0700,
>  Dan Eloff <dan.eloff at gmail.com> wrote 
>  a message of 19 lines which said:
> > the session cookie (which is sent in plaintext on every request)
>                                     ^^^^^^^^^^^^
>                                     You use authenticated sessions 
> and not httpS? You're wrong.

A pretty rude way to say it. And I think a bit shortsighted. It depends
on the situation; why is a user authenticated. For what authorisation is
For a mere authorisation to post messages in a board, or to track share
ratios (think of BitTorrent sites), that kind of things, I would say it
is safe enough. Not too much seriously bad can be done (and if it
happens: webmaster still has their logs). Unless someone targets an
enemy specifically, what use is there anyway in trying to hack someones
account by sniffing out a session ID?
When doing payments, or when accessing your source repository, that kind
of sensitive things, yes then https would be necessary. I'm using
session cookies myself, have for a moment thought of https, and rejected
it, and not only for the cost of a trusted certificate. It's just not
necessary for my site.


> _______________________________________________
> Mod_python mailing list
> Mod_python at modpython.org
> http://mailman.modpython.org/mailman/listinfo/mod_python
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mm_cfg_has_not_been_edited_to_set_host_domains/pipermail/mod_python/attachments/20050616/38309caa/attachment.html

More information about the Mod_python mailing list