How does Vanilla protect against password sniffing / session hijacking?
A brief question. If/how does Vanilla protect against passwords being sniffed over the wire during registration and login (for non OpenID/Twitter/Facebook providers). Does vanilla hash the password pre-login?
Do we have to go 100% HTTPS or just ForceSSL for certain controllers?
Is there also some protection against session hijacking a-la firesheep?
(ps: I admit I'm being a little lazy here as I haven't cracked out fiddler, etc.)
Do we have to go 100% HTTPS or just ForceSSL for certain controllers?
Is there also some protection against session hijacking a-la firesheep?
(ps: I admit I'm being a little lazy here as I haven't cracked out fiddler, etc.)
0