You are correct. If you want to prevent session hijacking you need to force cookies over https.
You can do this in your program session._secure=True But it is up to you to setup https. On Jun 16, 5:43 am, blackthorne <[email protected]> wrote: > There may be a security problem for all of you using Auth. Even if the > login process is done threw SSL the session should be also kept over > SSL or else you may be vulnerable to session hijacking > (http://en.wikipedia.org/wiki/Session_hijacking) attacks. > > My question is, is there a control to make auth methods and logged in > sessions to be kept over https and https only leaving at the same > time, public data to be transmitted as clear data? > > Thank you, > Best regards
