Skip to content
Better HN
Top
Best
Ask
Show
New
Jobs
Search
⌘K
0 points
oxplot
5y ago
0 comments
Save
Share
That only protects the user's password. The auth cookie will be sent in all subsequent requests in plain text.
EDIT: that's how firesheep (
https://en.wikipedia.org/wiki/Firesheep
) hijacked sessions for e.g.
0 comments
1 comments · 1 top-level
top
newest
oldest
nly
5y ago
That's not true. Cookies can have a 'secure' attribute which tells the browser to send them only over TLS
3 more replies
j
/
k
navigate · click thread line to collapse
