Ed Griffiths wrote:
The webservice expects an encrypted usr/pwd combo, authenticates the login
(say against LDAP or DB), then passes back a valid JSESSIONID in the
response that must be sent with all subsequent webservice requests (and also
checks the incoming request IP address).
As far as I can tell, I would think that someone sniffing your packets
could still grab the encrypted user/pwd and send the same encrypted
combo to the webservice, which sort of defeats the purpose of encrypting
it in the first place.
Or, did I miss something (as often happens)?
-Sam
You are subscribed to cfcdev. To unsubscribe, please follow the instructions at
http://www.cfczone.org/listserv.cfm
CFCDev is supported by:
Katapult Media, Inc.
We are cool code geeks looking for fun projects to rock!
www.katapultmedia.com
An archive of the CFCDev list is available at
www.mail-archive.com/[email protected]
