How to protect session id and cookies without using SSL/HTTPS?

Question

As for as I understand, if I do not use SSL/HTTPS, cookies and session ids travel as plain text over the wire. An attacher can use packet sniffer to get his hand on these. How c

Answer 1

Short Answer: no encryption means unencrypted data.

Longer Answer: If you want to encrypt your HTML stuff (and I include cookies and session id as HTML stuff), they you must encrypt your data. You have two options: a. HTTPS or b. roll your own scheme. Option b is almost never a good idea.