On Tue, 20 Apr 2004, Peter Sabaini wrote: > Shane Hathaway wrote: > > Even with unbreakable encryption of credentials after login, you still > > send the username and password in the clear at login time, and sniffers > > can reuse the session ID with ease. You really shouldn't tell the Plone > > users they will be safer with a session token, because they won't. > > Why not make the login page itself SSL-protected then?
If you're going to go to the trouble of setting up SSL, why not encrypt the whole session? Let anonymous users come in via HTTP, then go all-SSL for logged in users. Sourceforge is a great example of this. Shane _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
