It could. I think it would be interesting to have a control to redirect by default to https, whether it is a login or an authenticated session, kind of what we already have for appadmin...
On Jun 16, 2:57 pm, Anthony <[email protected]> wrote: > On Thursday, June 16, 2011 9:48:47 AM UTC-4, Massimo Di Pierro wrote: > > > You are correct. If you want to prevent session hijacking you need to > > force cookies over https. > > > You can do this in your program > > > session._secure=True > > Doesn't session.secure() do the same thing (i.e., sets > session._secure=True)? > > Also, setting a secure cookie tells the user agent to only send the cookie > back to the server via a secure channel, but don't you also have to make > sure that the cookie is originally delivered over https? What if the session > first starts out over http (so the session cookie is initially sent > insecurely) and then switches to https -- couldn't someone grab the session > cookie on the initial send? > > Anthony
