Magnus Stenman wrote:
> > OK, I should have mentioned that I planned to use SSL. But even with SSL,
> isn't it
> > quite easy for a hacker to connect to my web site, perform the SSL
> handshake, guess a
> > valid serial number and include it as a cookie in the following requests?
> If the
> > serial numbers are easily guessable, whatever password constraint you
> enforce,
> > accessing protected resources is a piece of cake, isn't it?
>
> No - with SSL no cookie is sent - the SSL session itself is what makes out
> the session identifier.
> In other words - it's not a problem. :)
>
Damn! I should have thought about that.
But I still have questions though.
1. This means that a session can be shared between resources accessed via HTTP
and resources accessed via HTTPS. Correct?
2. If the web servers are clustered for load-balancing and fail-over, the
session state will have to be replicated, shared or made persistent. Will this
be done for SSL sessions as well?
>
> /Magnus Stenman, the Orion team
> http://www.orionserver.com
--
Jean-Baptiste Nizet
[EMAIL PROTECTED]
R&D Engineer, S1 Belgium
Excelsiorlaan 87
B-1930 Zaventem
+32 2 714 45 42
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
