Skip to content
Better HN
Top
New
Best
Ask
Show
Jobs
Search
⌘K
undefined | Better HN
0 points
oxplot
4y ago
0 comments
Share
That only protects the user's password. The auth cookie will be sent in all subsequent requests in plain text.
EDIT: that's how firesheep (
https://en.wikipedia.org/wiki/Firesheep
) hijacked sessions for e.g.
0 comments
default
newest
oldest
nly
4y ago
That's not true. Cookies can have a 'secure' attribute which tells the browser to send them only over TLS
chc
4y ago
But that just makes your login not work if the rest of your site is HTTP, doesn't it?
shkkmo
4y ago
You should not show authenticated pages without HTTPS
oxplot
OP
4y ago
A secure cookie would be of no use for a site whose only secure page is the login page, which is what the parent post I replied to was talking about.
eli
4y ago
in 2011?
shkkmo
4y ago
Yes
j
/
k
navigate · click thread line to collapse
