20 Apr
2004
20 Apr
'04
2:54 p.m.
On Tue, 20 Apr 2004, Peter Sabaini wrote:
Shane Hathaway wrote:
Even with unbreakable encryption of credentials after login, you still send the username and password in the clear at login time, and sniffers can reuse the session ID with ease. You really shouldn't tell the Plone users they will be safer with a session token, because they won't.
Why not make the login page itself SSL-protected then?
If you're going to go to the trouble of setting up SSL, why not encrypt the whole session? Let anonymous users come in via HTTP, then go all-SSL for logged in users. Sourceforge is a great example of this. Shane