I was reading a few articles about secure login systems without SSL, as it looks a bit difficult to set up a server to accept HTTPS connections, create a certificate etc.
In order to fix this, a randomly generated key for challenge-response was suggested, so that every login-action is unique, and can't be used twice. This all made sense to me, and it appeared to me that this might work very well.
Until the point where a session variable is used to indicate that the user is logged in, where the session ID is connected to an ID that is stored in a cookie on the user's computer, which will be sent as plain text, making it very easy to just hijack the session, so the whole challenge-response system would be completely useless.
That brings me to my question: Is there any way to confirm that the user is really logged in? Or even: How bad is it to send a password as plain text (over a regular HTTP connection) to the server? I can imagine the things that can happen when someone intercepts the internet traffic of a certain user, but I've no idea how easy it is to do this. How likely is it that someone can get your password when sending it unencrypted over the internet?