Session cookies are quickly becoming the standard way to log in. However, if it is sent unencrypted, it's pretty easy to capture someone's ala Firesheep session.
Now you can solve this problem by making the whole site HTTPS, but if someone types mysite.com , the browser uses http by default. We can solve this by redirecting:
RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
But by the time I can rewrite the URL, has my cookie message already been sent on an insecure channel?
Ender source share