A client of mine is concerned about their users being subject to sniffing exploits and a malicious party being able to acquire logging details for the site I'm working on.
We've setup SSL logins and (currently) protected the entire admin section too. That said, I've now discovered that WordPress doesn't use sessions as it is stateless. If sessions are not in use, provided the login is encrypted, surely there is nothing that could be sniffed?
If that is the case, why is it an option to protect the admin section?
The problem I face is that I'm using BuddyPress and allowing users to log in from the homepage. Once logged in they can move seamlessly from the non-SSL front end to the SSL admin section so there are points during the experience when they are logged in but the content is not encrypted.
Can anything be exploited?