On Tue, 20 Apr 2004, Peter Sabaini wrote:
> Shane Hathaway wrote:
> > Even with unbreakable encryption of credentials after login, you still
> > send the username and password in the clear at login time, and sniffers
> > can reuse the session ID with ease. You really shouldn't tell the Plone
> > users they will be safer with a session token, because they won't.
> Why not make the login page itself SSL-protected then?
If you're going to go to the trouble of setting up SSL, why not encrypt
the whole session? Let anonymous users come in via HTTP, then go all-SSL
for logged in users. Sourceforge is a great example of this.
Zope-Dev maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists -