|
Wouter van Marle
wouter at squirrel-systems.com
Thu Jun 16 09:44:44 EDT 2005
On Thu, 2005-06-16 at 12:29 +0200, Stephane Bortzmeyer wrote: > On Wed, Jun 15, 2005 at 01:36:22PM -0700, > Dan Eloff <dan.eloff at gmail.com> wrote > a message of 19 lines which said: > > > the session cookie (which is sent in plaintext on every request) > ^^^^^^^^^^^^ > You use authenticated sessions > and not httpS? You're wrong. A pretty rude way to say it. And I think a bit shortsighted. It depends on the situation; why is a user authenticated. For what authorisation is required. For a mere authorisation to post messages in a board, or to track share ratios (think of BitTorrent sites), that kind of things, I would say it is safe enough. Not too much seriously bad can be done (and if it happens: webmaster still has their logs). Unless someone targets an enemy specifically, what use is there anyway in trying to hack someones account by sniffing out a session ID? When doing payments, or when accessing your source repository, that kind of sensitive things, yes then https would be necessary. I'm using session cookies myself, have for a moment thought of https, and rejected it, and not only for the cost of a trusted certificate. It's just not necessary for my site. Wouter. > _______________________________________________ > Mod_python mailing list > Mod_python at modpython.org > http://mailman.modpython.org/mailman/listinfo/mod_python > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mm_cfg_has_not_been_edited_to_set_host_domains/pipermail/mod_python/attachments/20050616/38309caa/attachment.html
|