That's exactly what the "secure" cookie flag prevents, sending the cookie over a nonsecure line. The problem as you note is that even if your server is set up to redirect nonsecure traffic to secure traffic, the cookies is still sent over in that first handshake. The "secure" flag prevents that. At least that's how I interpret the literature. The Firesheep guy provides more info: http://codebutler.com/firesheep-a-day-later
- [web2py] Re: Auth over SSL Anthony
- [web2py] Re: Auth over SSL blackthorne
- [web2py] Re: Auth over SSL blackthorne
- [web2py] Re: Auth over SSL Anthony
- [web2py] Re: Auth over SSL blackthorne
- [web2py] Re: Auth over SSL pbreit
- [web2py] Re: Auth over SSL blackthorne
- [web2py] Re: Auth over SSL Anthony
- [web2py] Re: Auth over SSL pbreit
- [web2py] Re: Auth over SSL Anthony
- [web2py] Re: Auth over SSL pbreit
- [web2py] Re: Auth over SSL Anthony
- [web2py] Re: Auth over SSL blackthorne
