Steve Morrey wrote:
We are only talking about protecting the login page, because it uses a permissions system that utilizes sessions. All the relevant variables are stored in the session which is managed by PHP.
You're still somewhat vulnerable then, as the session identifier is being sent in cleartext. That can be used to hijack the session by anyone who cares to.
If the site is important enough that protecting the login form from being sent cleartext, then the site is probably important enough to protect the whole thing.
Steve /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
