On Mon, 1 Aug 2011, Mark H. Wood wrote: >> Should the rest of their session take place over an https connection or is >> it safe for them to go back to regular http after they have logged in? > > In general we can't really answer that and you probably can't either. > It depends on the nature of the stuff in your repository and your > users' needs for privacy. And if your repo. is public, you don't know > who your users are until they've arrived.
If you go back to HTTP after signing in, then anyone can eavesdrop and steal your session. If you do not want this, then you should make sure to run everything over HTTPS as soon as someone's logged in. Then the rest of their session should be encrypted. Assuming that the rest of the repository is public, you probably don't want the overhead and lack of caching of running that over HTTPS, so it's better to run it over plain HTTP until people log in. Best, -- Tom De Mulder <[email protected]> - Cambridge University Computing Service +44 1223 3 31843 - New Museums Site, Pembroke Street, Cambridge CB2 3QH -> 01/08/2011 : The Moon is Waxing Crescent (9% of Full) ------------------------------------------------------------------------------ Got Input? Slashdot Needs You. Take our quick survey online. Come on, we don't ask for help often. Plus, you'll get a chance to win $100 to spend on ThinkGeek. http://p.sf.net/sfu/slashdot-survey _______________________________________________ DSpace-tech mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dspace-tech
