How does Stackoverflow keep users signed in over HTTP?

Question

I've noticed that stackoverflow only uses SSL on the login page, and that questions/answers can be posted over HTTP.

Users must be logged in to do that, and so I'm wondering how stackoverflow manages to track which users are logged in, if SSL is not being used.

Currently I'm making a rails app, which tracks logged in status using cookies. I've always assumed you need SSL to do that securely. But I'm posting this, as a logged-in user, over HTTP.

I notice a cookie named 'usr' when I run tcpdump -i eth0 -A and then visit stackoverflow, and that this cookie is transmitted in plaintext, without SSL. Could a hacker/packet-sniffer take my usr cookie, and and replay my session, if I logged-in over an insecure connection, like a wifi cafe?

I want to avoid using SSL in my rails app (because my host charge an arm and a leg to implement it), so I want to use the same technique as stackoverflow. I want to keep users logged in, without SSL.

I'm guessing database (or memcache/redis) session store is in use here. But surely some sort of cookie is still required? How come these cookies don't have to be sent via SSL? Is there something else going on in the background that renders these cookies redundant to hackers on different machines?

Answer 1

Here is what I believe happens or something that you could use in your application.. you create two different types of cookies when the user logs in through your login page. you create the second cookie such that it will be sent back exclusively to HTTPS pages and all the other pages (HTTP & HTTPS included) can use the first cookie (user-session cookie) to maintain the session and all your pages that houses secure information that is exclusive to the user will make use of the second HTTPS cookie..

In this way page likes these can be viewed using just the session cookie but the moment you want to view see the user information page you use the second HTTPS cookie..

Hope that made some sense.