If people add the email as userid these will also be added to non-ssl pages what is a serious data protection issue on unencrypted wires.
People should always use a uuid or hashing the username/email, but never use the real value.
Please remove all these documentation references and make clear people should never use these raw values.
make clear people should never use these raw values.
there are many cases where usernames are already in the webpages content eg. in JS variables or in the DOM. Same with email address. So "should never" is wrong here.
in general it is responsability of each webmaster to measure their data securely. I hope that most people who have a login form on their website will deliver all pages once user is logged-in via SSL. If they don't then it would leak the auth cookie which is much worse than leaking username or email.
So the point of unencrypted wires for User ID does not make a lot of sense since User ID will only be used when users are logged -in which should be done securely to ensure safety of auth cookie.
I'm sorry, but this is not correct. Well if a user logs in it will be encrypted, but if I make one more click I'm on HTTP and no longer on HTTPS. It's not required to stay at SSL after a login. You only need to protect the login itself.
With your documentation people will start using email address as UserID and this is always send over the wire unencrypted.
The session cookie will be destroyed after I hit logout or after time. My Emailaddress is not destroyed after I hit the logout button.
You only need to protect the login itself.
no you need to also protect pages once you are logged-in, otherwise the session cookie will be stealable by a man-in-the-middle attack (similar attack that would reveal username/email as you point out)
My Emailaddress is not destroyed after I hit the logout button.
What do you mean?