Nick, two points:
1. Have you considered using TLS/SSL for your complete application? Without that a MITM would still be able to sniff the session cookie and act on behalf of the user, sniff users' data, modify data on the way between server and client and so on. 2. If you really really want to use TLS only for login purposes I recommend you redirect users to a simple login page using https and after logging in redirecting them back to the http version fo your app. HTH Max -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
