On Wed, Jun 15, 2011 at 5:40 AM, Chris Seberino <[email protected]> wrote: > > On Jun 14, 10:47 am, Tom Evans <[email protected]> wrote: >> Yes, of course it is - HTTP is stateless, so how else would sessions >> work if the session id is not transmitted back to the server by the >> browser? > > I agree. Yet, eBay, Google Groups & Godaddy drop down to HTTP after > login. > Why aren't they worred? > > cs >
Because to have a problem, you must have an attacker who is listening to your line. It's not super-likely, but for some places (eg, my bank) it is enough of a risk to use solely SSL. I'm not too concerned about someone stealing my ebay session, but I'd be super-annoyed if they stole my online banking session. Actually, the main reason is that requiring SSL everywhere makes browsing your site slow, there can be no intermediate caching, and you can serve less users with each server than without SSL. More expensive, slower and a worse user experience vs absolute security. Your choice. Cheers Tom -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
