CHAPTER 11 – Auth Security Tip 3: Use HTTPS

Using HTTPS instead of HTTP protects usernames, passwords, and session ids from network packet sniffers. However, if an attacker has somehow obtained a session id, he may just as easily exploit it through HTTPS as through HTTP. The major hurdle for most people is the cost and hassle involved in obtaining and maintaining an SSL certificate for their site, as well as the host- ing cost which is often significant.