> upgrading our servers. I don't really agree that if you secure the site > with a login that everything should be secure. Digg, for example, > doesn't need to encrypt its news feed after you login because the > information is not sensitive. Many sites I've seen have non-secure > content after logging in. Was hoping there was an easy way to do it in
If You gave a little thought to what Janne has written, it would be clear that it is pointless to use SSL for login page if the session id (or other authentication token) is then sent UNENCRYPTED with EACH subsequent request. It's not much more secure than relying on "?admin=true" in the URL. Just because "the big ones" do it, doesn't mean it's good -- perhaps in Digg case possibility of hijacking existing session is an acceptable tradeoff for performance, perhaps Facebook doesn't care about privacy, but You should consider it for Your application Yourself. What kind of damage can be done if someone steals one of user's session? Having SSL for login page and HTTP for all the rest only protects users from their password getting stolen, hackers can still steal their session, access their data and perhaps even change their passwords. Best regards ------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users
