I'm trying to determine how much of a security risk I'm looking at when I have rubycas itself running over https, but my actual sites running under http. the reason I'm faced with this issue is that the sites are deployed on heroku, which means ssl is either really expensive or really a pain.
In addition to the login details, i also pass user rolls (authorization) to each site that is then stored in a session.
Any input is greatly appreciated.
The problem with this approach is that neither the sessionid (url or cookie) nor the exchanged data is encrypted. Therefore the data can be read and manipulated both on the way from the server to the user and on the way from the user to the server.
Even a passive attacker that can just sniff the traffic without being able to manipulate it, can create damage: The attacker can just copy the sessionid into his or her own browser. Public wireless connections often use a transparent proxy, so both the attacker and the victim have the same public ip-address, which makes it difficult for the application to tell them apart.
There is a tool called Firesheep that makes this kind of attack extremely easy.