Reddit seems to send a clear text password but Digg and a few others seem to be hashing on the client using a token salt before sending. I'm too cheap to pay for a unique IP and SSL so I will try that first.
Question: Does session.secure do anything useful when *not* running over https? On Sep 29, 4:50 pm, mdipierro <[email protected]> wrote: > I did not notice and that is bad. > > If your app uses authentication you should have > > session.secure() > > and use HTTPS. The latter line will not accept sessions cookies > without HTTPS. > > Massimo > > On Sep 29, 4:28 pm, "mr.freeze" <[email protected]> wrote: > > > What are sites like reddit.com doing to secure their logins? > > Anything? The login request goes over http according to firebug. I'm > > just wondering if my wiki site needs https for login or http is > > acceptable or if there is another trick I can use. > > > Thanks! > > Nathan --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
