On Thursday, June 16, 2011 9:48:47 AM UTC-4, Massimo Di Pierro wrote: > > You are correct. If you want to prevent session hijacking you need to > force cookies over https. > > You can do this in your program > > session._secure=True
Doesn't session.secure() do the same thing (i.e., sets session._secure=True)? Also, setting a secure cookie tells the user agent to only send the cookie back to the server via a secure channel, but don't you also have to make sure that the cookie is originally delivered over https? What if the session first starts out over http (so the session cookie is initially sent insecurely) and then switches to https -- couldn't someone grab the session cookie on the initial send? Anthony
