Hacker News new | past | comments | ask | show | jobs | submit login

> Many sites will send session tokens over http because they don't set the "secure" cookie flag. It's a simple thing to do, and prevents a malicious ARP poison or DNS attack from potentially hijacking an account.

Or you can of course enforce HSTS so that HTTP never gets used.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact