On 06/12/11 20:56, Chris Seberino wrote: > Is it correct that if one uses SSL for a notebook server than ALL the > pages MUST be under SSL? > > The reason I'm asking is that the notebook server appears unable to > handle Apache configs that try to switch from SSL to unencrypted after > login. > > In other words, notebook is brittle when it comes to attempts to do > anything fancy with Apache.
I don't know if there's a way to allow this, but why would you want to? When you log in -- presumably, over SSL, because you want to protect your password -- your browser is sent a session cookie that it uses to identify you in the future. If you switch to plain HTTP in the same session, your password won't be sent in plain text, but the session cookie will be, and that's almost as bad: an attacker can pretend he's you until you log out. You could do a delicate dance to try to ensure that only "unprivileged" data is sent across the plain-HTTP channel; but again, why? And is it worth the time it would take to implement it and the associated security risk? -- To post to this group, send email to sage-support@googlegroups.com To unsubscribe from this group, send email to sage-support+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/sage-support URL: http://www.sagemath.org
