Am 28.12.2012 05:38, schrieb Benny Pedersen:
but in this case if you are unable to provide a secure way for users not to bother about protocol prefixes the only stupiud one is the admin
haha, ignorance is all over :=)
why pay for ssl when (l)users can get the same content without ssl ?
example:
http://www.no-ssl.example.org/... webmail url ... https://www.no-ssl.example.org/... webmail url ...
the https url is fine in the sense connection is encrypted, both pages shows same content, so more or less users dont care what protocol thay uses, hmm ?, this is unvanted by design
so diff hostname urls so it also gives 2 diff apache webroot dirs!
and how does this bullshit help you? you can deliver whatever content you want!
BUT the cookies are per hostname and so you will send your session cookies unecnrypted, so the better way is implement redirect on the non-https and make sure the client send cookies only encrpyted - i really do not get the point why you refuse to understand this?