That was my point, where else could you store his key, other than in the
cookie because it is sent back. (some place where it would remain on his
computer only after sending it to him with SSL. -- maybe you could set a
cookie with a fictitious domain name, but then could your applet read it?)
The reasoning here is to avoid the overhead of using SSL all the time,
(there might be nothing in the communications that needs to be hidden, so
it's not evesdroppers that matter in this case,) however you may want to
add a measure of security so that if someone else replied to a reponse, the
server could detect that this request probably wasn't from the same client.
Another application would be to detect if indeed it was from the same client
and he was just changing the session ID.
Here's a quote from an advertisement for shareware that changes session ID
etc: "... was able to hijack Hotmail's account and message forms and save
them locally or post them on a webserver, and they were still perfectly
functional. Both forms are very heavily protected using dynamically
generated cookies and hidden form fields, HTTP Referrer and User-Agent
checks. ... took care of all those things and now creating 1000 Hotmail
accounts is not a problem."
> If you are using SSL, you presumably don't need to worry
> about eavesdroppers any
> longer. Since *everything* you send back and forth is
> encrypted, you might as
> well set a persistent cookie with a value that connects to
> the user's identity,
> like many portal sites do. The HTTP headers (including this
> cookie) are encrypted
> by the SSL layer, so there is no threat unless the hacker can
> crack SSL encoding
> -- in which case you've got a lot more serious problems :-).
>
> However, if you use SSL only the first time, you're still out
> of luck --
> eavesdroppers who listen in on your subsequent communications
> are still in the
> position that they can just send the same cookie value, and
> impersonate your
> session. You need to encrypt everything if you're concerned
> about this issue.
>
> >
> > Brian
>
> Craig
>
> ==============================================================
> =============
> To unsubscribe: mailto [EMAIL PROTECTED] with body:
> "signoff JSP-INTEREST".
> FAQs on JSP can be found at:
> http://java.sun.com/products/jsp/faq.html
> http://www.esperanto.org.nz/jsp/jspfaq.html
>
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
FAQs on JSP can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
