On Mar 27, 2008, at 7:55 AM, mario ruggier wrote:
I believe there is little issue with transmitting the session id
cookie in the clear -- even if this is eavesdropped, it should not
be possible (at least not without a lot of other additional
trickery) for another client to hijack any server-side session data
(maybe David can confirm this?).
The remote ip address of the request is checked to make sure that it
agrees
with the one given at the time of authentication, but this is a very
weak
link. An eavesdropper with your cookie should be considered as having
all of the power that the web application allows to the original
authenticated
user.
_______________________________________________
QP mailing list
[email protected]
http://mail.mems-exchange.org/mailman/listinfo/qp
