> OK, I should have mentioned that I planned to use SSL. But even with SSL,
isn't it
> quite easy for a hacker to connect to my web site, perform the SSL
handshake, guess a
> valid serial number and include it as a cookie in the following requests?
If the
> serial numbers are easily guessable, whatever password constraint you
enforce,
> accessing protected resources is a piece of cake, isn't it?
No - with SSL no cookie is sent - the SSL session itself is what makes out
the session identifier.
In other words - it's not a problem. :)
/Magnus Stenman, the Orion team
http://www.orionserver.com
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
