OC ticket passed either as a request param or in the cookie is passed in plain text over the wire. Once a user has stolen a ticket, theoretically they have the ability to impersonate a user.
One option that a client opted for was to instead put the ticket in the HTTP Header of the request, and if it is in the header, then on their HTTPS servers is is encrypted in the request rather than being in plain text or in a cookie that is just sitting around.
OC ticket passed either as a request param or in the cookie is passed in plain text over the wire. Once a user has stolen a ticket, theoretically they have the ability to impersonate a user.
One option that a client opted for was to instead put the ticket in the HTTP Header of the request, and if it is in the header, then on their HTTPS servers is is encrypted in the request rather than being in plain text or in a cookie that is just sitting around.