that is exactly my point. "Web security" being treated as a separate area where only specific people specialize instead of being treated as a basic fundamental prerequisite for a web developer.
I'm not following. I'm saying: Facebook certainly knew that if you logged in via a public wireless network that your session cookie could be stolen. They accepted the risk, like many, many other companies do. What do the fundamentals of web dev have to do with this?
