If not running over http session.secure() will prevent sessions from working and login will not work.
hashing with a salt can easily be attacked. Massimo On Sep 29, 6:11 pm, "mr.freeze" <[email protected]> wrote: > Reddit seems to send a clear text password but Digg and a few others > seem to be hashing on the client using a token salt before sending. > I'm too cheap to pay for a unique IP and SSL so I will try that > first. > > Question: Does session.secure do anything useful when *not* running > over https? > > On Sep 29, 4:50 pm, mdipierro <[email protected]> wrote: > > > I did not notice and that is bad. > > > If your app uses authentication you should have > > > session.secure() > > > and use HTTPS. The latter line will not accept sessions cookies > > without HTTPS. > > > Massimo > > > On Sep 29, 4:28 pm, "mr.freeze" <[email protected]> wrote: > > > > What are sites like reddit.com doing to secure their logins? > > > Anything? The login request goes over http according to firebug. I'm > > > just wondering if my wiki site needs https for login or http is > > > acceptable or if there is another trick I can use. > > > > Thanks! > > > Nathan --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
