On Thursday, June 16, 2011 6:02:00 PM UTC-4, blackthorne wrote: > > Anthony: I don't really understand how would that solve the problem. > The problem has to do with transmission of the session cookie in a non > secure channel. Regenerate it won't solve the problem.
It will solve the problem of transitioning from an insecure/pre-login session to a secure/post-login session, which is a separate issue. > We need to > enforce not to allow the transmission of authenticated sessions threw > non secure channels. I think this should be the default behavior. I'm not sure the framework should absolutely require SSL in order for the auth system to work at all. Anthony
