Hello, I would like to know if resin 3 is vulnerable to session cookie hijacking. In the documentation it's written that :
"It is conceivable that someone could use a packet sniffer to find the session id of a user and then make a fake request to Resin thus gaining access to the session. This can be avoided by using HTTPS." Does that mean that a session id is not tied to an IP address? For performance reasons I would like to use HTTPS on the login page only. Thanks in advance, John _______________________________________________ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest