On Feb 11, 2009, at 9:17 AM, John Livic wrote: > Hello, > > I would like to know if resin 3 is vulnerable to session cookie > hijacking. In the documentation it's written that : > > "It is conceivable that someone could use a packet sniffer to find > the session id of a user and then make a fake request to Resin > thus gaining access to the session. This can be avoided by using > HTTPS." > > Does that mean that a session id is not tied to an IP address?
Correct. Resin can't tie a session id to an IP address because client IP addresses legitimately change for the same cookie. Ages ago, AOL was notorious for being particularly bad about this. If you need real security, you really need to use HTTPS. -- Scott > For performance reasons I would like to use HTTPS on the login > page only. > > Thanks in advance, > > John > > > _______________________________________________ > resin-interest mailing list > [email protected] > http://maillist.caucho.com/mailman/listinfo/resin-interest _______________________________________________ resin-interest mailing list [email protected] http://maillist.caucho.com/mailman/listinfo/resin-interest
