Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

How does Vanilla protect against password sniffing / session hijacking?

A brief question. If/how does Vanilla protect against passwords being sniffed over the wire during registration and login (for non OpenID/Twitter/Facebook providers). Does vanilla hash the password pre-login?

Do we have to go 100% HTTPS or just ForceSSL for certain controllers?

Is there also some protection against session hijacking a-la firesheep?

(ps: I admit I'm being a little lazy here as I haven't cracked out fiddler, etc.)
Sign In or Register to comment.