It’s common to use HTTPS for authentication, so the authentication details from client cannot be sniffed. However once the user is logged in then subsequent calls to a web app passing some sort of auth id which then the web app will then use to authorise with, should that not also be HTTPS? How is this done in things like Facebook? Seems easier to make all traffic HTTPS.
It’s common to use HTTPS for authentication, so the authentication details from client cannot
Share
An answer by Jeff Atwood:
http://www.codinghorror.com/blog/2012/02/should-all-web-traffic-be-encrypted.html