This is a basic security requirement to prevent information leakage. https://www.owasp.org/index.php/Session_Management_Cheat_Sheet "Web applications should never switch a given session from HTTP to HTTPS, or viceversa, as this will disclose the session ID in the clear through the network."
web2py did this for years and it is disgraceful other more popular frameworks do not. Massimo On Thursday, 28 September 2017 11:41:10 UTC-5, Ramos wrote: > > Hello i noticed that if i logged via https and then try to change the url > to http i have to log again but until i go back to https and logout i > cannot login with the other protocol. > > The reverse is also true from http to https. > > > Is this a web2py thing ? > > > Regard > > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
