>From http://en.wikipedia.org/wiki/HTTP_cookie#Cookie_hijacking :
"a large number of websites, although using encrypted HTTPS communication for user authentication (i.e. the login page), subsequently send session cookies and other data over ordinary, unencrypted HTTP connections for performance reasons. Attackers can therefore easily intercept the cookies of other users and impersonate them on the relevant websites" So what is the current 'state of art' solution - all application data through HTTPS and only images via HTTP? I imagine that one could also use two cookies - one secure and one ordinary session - and then send a link to an empty image over https to periodically authenticate the ordinary session with the secure cookie. But that seems a bit complicated - and guarantees only partial security - the attacker would be able to successfully send a few requests. -- Zbigniew Lukasiak http://brudnopis.blogspot.com/ http://perlalchemy.blogspot.com/
