Brian Schaefer wrote:
> That's right, and it wouldn't seem that just encrypting the sessionID would
> do much good, because a session hijacker could just send back the same
> encrypted ID. It seems that there needs to be an applet running on the
> client that could take the encrypted sessionID, then use a key to re-encrypt
> it in such a way that the server could recognize it came from the intended
> recipient. Any ideas?
> Thanks, Brian
>
If you use an applet for this purpose, our hypothetical cracker can read the
bytecodes as they are downloaded, right? So it is possible to decompile the
applet and understand what algorithm you try to use, and we're back where we
started -- vulnerable.
This is why encryption-based protocols like SSL exist; to minimize the
possibility that you can be hacked, even in an environment where the bad guy
can listen to the bytes going by.
Craig
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
FAQs on JSP can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
