On Tue, 20 Apr 2004, Peter Sabaini wrote:

> Shane Hathaway wrote:
> > Even with unbreakable encryption of credentials after login, you still
> > send the username and password in the clear at login time, and sniffers
> > can reuse the session ID with ease.  You really shouldn't tell the Plone
> > users they will be safer with a session token, because they won't.
> Why not make the login page itself SSL-protected then?

If you're going to go to the trouble of setting up SSL, why not encrypt
the whole session?  Let anonymous users come in via HTTP, then go all-SSL
for logged in users.  Sourceforge is a great example of this.


Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope )

Reply via email to