In general it is not a good idea to expose publicly admin and yourapp/appadmin unless they go over HTTPS and you enable secure cookies with
response.cookies[response.session_id_name]['secure']=True
This is true for web2py and any other web application: If you do not want your passwords to transmit unencrypted, your sesion cookies should not either!
In fact, by default, for security, web2py admin does not work if the client is not localhost.
An easy way to setup a secure production environment on a server (@serveraddress) is to:
start two instances of web2py:
nohup python2.5 web2py -p 8000 -i 127.0.0.1 -a '' &
nohup python2.5 web2py -p 8001 -i 127.0.0.1 -a password &
use apache mod_proxy to redirect port 80 to port 8000 (there will be no admin because no password) this is the public site
from your client machine connect to the second using a ssh tunnel:
ssh -L 8001:127.0.0.1:8001 username@serveraddress
connect to 127.0.0.1:8001 on the local computer to access the admin of the remote (serveraddress) computer.
All communication via port 8001 will be accessible to you only and encrypted.