Couldn't this "use case" also be addressed with OAuth? Where the Auth is performed over OAuth, but the site remains over HTTP (non-secure).
I do agree 100% with Janne though, HTTPS is cheap. If the username/password, and the services provided by the webapp should be secure, make it secure 100% of the time, e.g., redirect to HTTPS immediately on hitting the site. Regards, Tim -----Original Message----- From: Janne Jalkanen [mailto:janne.jalka...@ecyrd.com] Sent: Monday, January 31, 2011 9:48 AM To: Stripes Users List Subject: Re: [Stripes-users] HTTPS to HTTP switching > 1) Logging in. The login action should be https so username and > password are encrypted, but once i pass the login, the first page the > user sees does not need to be secure, hence switching from https to > http And that's exactly when your site stops being secure, and the user session can be hijacked, and your site is compromised. Facebook does login over https, yet the sessions can be hijacked. That's why they're rolling out the change... Please *do* seriously consider using https all the way after the user has logged in. You have very few real reasons why you shouldn't - https is very cheap these days with SSL-terminating loadbalancers and plenty-of-CPU power for decryption anyway. You're otherwise creating a fairly easy-to-exploit security hole in your system... (unless, of course, you can ensure that nobody ever uses your system over WiFi.) /Janne ------------------------------------------------------------------------ ------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users Barclays www.barclaycardus.com This e-mail and any files transmitted with it may contain confidential and/or proprietary information. It is intended solely for the use of the individual or entity who is the intended recipient. Unauthorized use of this information is prohibited. If you have received this in error, please contact the sender by replying to this message and delete this material from any system it may be on. ------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users
