Hacker News new | past | comments | ask | show | jobs | submit login

I've seen some sites which figure out a way to force the user in and out of SSL for certain URLs. You might be able to implement a fix which forces SSL for the admin section and non-SSL for everything else.

That doesn't help, because my all-powerful admin session is as secure as the least secure page I access (or can be made to access) while on a compromised network.

Doh. Of course. It's all on the same domain. Do you think, that if designing a new application, it would make sense to make a separate admin sub-domain (assuming no wildcard cookies)?

Does the solution entail purchasing legit ssl certs for your static content domains?

Er, can’t you just specify that the session cookie is only sent over HTTPS?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact