chrisboyle
commented
14 years ago Fixed by commits ffde485f74f154e527464184801bdb6c87207d0a to fc0f4e6fbe29b8b2e4c41644a6a7d5c9131bfb96.
Closed chrisboyle closed 14 years ago
chrisboyle
commented
14 years ago Fixed by commits ffde485f74f154e527464184801bdb6c87207d0a to fc0f4e6fbe29b8b2e4c41644a6a7d5c9131bfb96.
Login, at least, should happen over SSL. Ideally the session cookie should be "secure", meaning https only, and a second insecure cookie should merely flag the existence of the secure one, prompting a redirect onto https (for as long as the user is logged in).