> 1) Logging in. The login action should be https so username and password are > encrypted, but once i pass the login, the first page the user sees does not > need to be secure, hence switching from https to http
And that's exactly when your site stops being secure, and the user session can be hijacked, and your site is compromised. Facebook does login over https, yet the sessions can be hijacked. That's why they're rolling out the change... Please *do* seriously consider using https all the way after the user has logged in. You have very few real reasons why you shouldn't - https is very cheap these days with SSL-terminating loadbalancers and plenty-of-CPU power for decryption anyway. You're otherwise creating a fairly easy-to-exploit security hole in your system... (unless, of course, you can ensure that nobody ever uses your system over WiFi.) /Janne ------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users
