On Sun, Mar 16, 2008 at 8:45 PM, Steve Meyers <[EMAIL PROTECTED]> wrote:
> Steve Morrey wrote: > > We are only talking about protecting the login page, because it uses > > a permissions system that utilizes sessions. All the relevant > > variables are stored in the session which is managed by PHP. > > You're still somewhat vulnerable then, as the session identifier is > being sent in cleartext. That can be used to hijack the session by > anyone who cares to. > > If the site is important enough that protecting the login form from > being sent cleartext, then the site is probably important enough to > protect the whole thing. Precisely. The session ID is nearly as good as the password, unless the session ID changes each time and involves a shared secret and one-time nonce similar to the digest authentication algorithm. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
