> To make the system entirely secure against this attack, we need > to be able to enforce a one to one mapping between login > sessions and https sessions. The existing tools for writing > server side code do not provide us with any direct means of > enforcing such a relationship.
I'm not paying very close attention to your posts. Paragraphs like the above are the reason why. From http://www.modssl.org/docs/2.8/ssl_reference.html#ToC25 The following environment variables are exported into SSI files and CGI scripts: SSL_SESSION_ID The hex-encoded SSL session id Care to try again? /r$ -- Rich Salz Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]