On Wed, 2001-11-14 at 18:07, Ken Lalonde wrote:
> - after successful name+password authentication in an SSL session,
> drop the old session and generate a new one.
> Set the "secure" flag in the associated _SID_ cookie
> sent to the client, to reduce the risk of eavesdropping.
And, since you were mentioning security, I thought I'd mention that
there's a new field type in FFK CVS for doing secure logins without SSL
FunFormKit.Field.MD5PasswordField). It seems to work decently enough,
though it's somewhat less secure than it could be for convenience sake.