Could someone point me out on the right direction?
I'm trying to implement a secure login where, ideally, someone sniffing the session id of a user can not simulate being that user.
Is that possible? or the only secure way is to avoid getting the session id sniffed by using ssl on every single request once the user has authenticated??
It sounds weird to me that the only way to do it is through ssl
How do they do it on websites like, say, facebook? they don't use ssl on each request after login but I assume it is secure and someone sniffing my network wouldn't be able to impersonate me... or would they?
I would really appreciate some help since I'm stuck now due to this question...
Thx!