Hi
I have been working with tomcat with a web site. There is a initial login
page which sends the username and password to a servlet that checks them
against a database. I want to have the informatin sent over ssl but then i
want the user to be sent back to a none ssl page for the rest of the
HTTPS (except the ones for your login pages)
to HTTP.
-Ursprüngliche Nachricht-
Von: Drinkwater, GJ (Glen) [mailto:[EMAIL PROTECTED]]
Gesendet: Freitag, 9. August 2002 15:11
An: '[EMAIL PROTECTED]'
Betreff: SSL just for a login page
initial login page which sends the username
Hi
I am not am expert in the security of the web at the moment.
Could you explain to me why this would open such a big secuirty hole from
swapping from https to https.
I was suggesting this because it read this i a 'professional j2ee' book?!!
The problem i have is that i need the username
the problem is your own encryption isn't signed by a third party, which
means if someone hack into your server, they could compromise the
security.
Hackers are smart and have tons of free time. If there's a hole, it will
be found and exploited.
Most big e-comm sites use hardware acceleration
'
Subject: RE: SSL just for a login page
Hi
I am not am expert in the security of the web at the moment.
Could you explain to me why this would open such a big
secuirty hole from
swapping from https to https.
I was suggesting this because it read this i a 'professional
j2ee' book
Hi
Let me reply to a few of the emails.
the problem is your own encryption isn't signed by a third party, which
means if someone hack into your server, they could compromise the
security.
wouldn't this still be a problem if my public key was signed by a CA??
isn't the cert. for the client to
Drinkwater, GJ (Glen) wrote:
Hi
Let me reply to a few of the emails.
the problem is your own encryption isn't signed by a third party, which
means if someone hack into your server, they could compromise the
security.
wouldn't this still be a problem if my public key was signed by
List'
Subject: RE: SSL just for a login page
Hi
Let me reply to a few of the emails.
the problem is your own encryption isn't signed by a third
party, which
means if someone hack into your server, they could compromise the
security.
wouldn't this still be a problem if my public key
just for a login page
2) After a successful login, (still ssl, don't put anything
session yet) pass the user's ID and a one-way hashed version
of their password to a non ssl page that authenticates this
information and sets up their session.
--
To unsubscribe, e-mail: mailto:[EMAIL
: Drinkwater, GJ (Glen) [mailto:[EMAIL PROTECTED]]
Gesendet: Freitag, 9. August 2002 15:52
An: 'Tomcat Users List'
Betreff: RE: SSL just for a login page
Could you explain to me why this would open such a big
secuirty hole from swapping from https to https.
--
To unsubscribe, e-mail
: Freitag, 9. August 2002 16:38
An: Tomcat Users List
Betreff: AW: SSL just for a login page
That's no solution, as now the oneway hash can be snooped
and hijacked. You win absolutly nothing but wasted efford.
-Ursprüngliche Nachricht-
Von: Durham David Cntr 805CSS/SCBE
[mailto
Like I said, you're session is open to snooping and hijacking, but your password is
not revealed.
-Original Message-
From: Ralph Einfeldt [mailto:[EMAIL PROTECTED]]
Sent: Friday, August 09, 2002 9:38 AM
To: Tomcat Users List
Subject: AW: SSL just for a login page
That's
what's to stop a hacker from stealing the session, then going to the
user profile page and looking at the password? Of course if you do pass
the user to http from https, you can still require profile management go
through https, or simply never print the password to the browser.
I personally
Yes, you are probably right, I will have to use ssl.
Does anybody know of some good stress testing free software???
How does this sound.
1)User logs on and username and password send over ssl. password md5 hashed
and compared against users on a database.
2)If valid user logs on, if not user
Users List'
Subject: RE: SSL just for a login page
Hi
I am not am expert in the security of the web at the
moment.
Could you explain to me why this would open such a big
secuirty hole from
swapping from https to https.
I was suggesting this because it read this i a
'professional
jmeter, available from jakarta.apache.org
-Original Message-
From: Drinkwater, GJ (Glen) [mailto:[EMAIL PROTECTED]]
Sent: Friday, August 09, 2002 9:59 AM
To: 'Tomcat Users List'
Subject: RE: SSL just for a login page
Yes, you are probably right, I will have to use ssl.
Does
For stress testing use Apache JMeter.
good luck Richard
Drinkwater, GJ (Glen) wrote:
Yes, you are probably right, I will have to use ssl.
Does anybody know of some good stress testing free software???
How does this sound.
1)User logs on and username and password send over ssl. password md5
just downloaded it version 1.7 using it with java 1.4 beta
installation says that you dont need to do anything (already got JAVA_HOME),
when i run it it just pulls up errors??
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
post this on the jmeter-user list
-Original Message-
From: Drinkwater, GJ (Glen) [mailto:[EMAIL PROTECTED]]
Sent: Friday, August 09, 2002 10:26 AM
To: 'Tomcat Users List'
Subject: RE: SSL just for a login page
just downloaded it version 1.7 using it with java 1.4 beta
09, 2002 10:26 AM
To: 'Tomcat Users List'
Subject: RE: SSL just for a login page
just downloaded it version 1.7 using it with java 1.4 beta
installation says that you dont need to do anything (already got JAVA_HOME),
when i run it it just pulls up errors??
--
To unsubscribe, e-mail:
mailto
On Fri, 9 Aug 2002, Drinkwater, GJ (Glen) wrote:
Date: Fri, 9 Aug 2002 14:51:32 +0100
From: Drinkwater, GJ (Glen) [EMAIL PROTECTED]
Reply-To: Tomcat Users List [EMAIL PROTECTED]
To: 'Tomcat Users List' [EMAIL PROTECTED]
Subject: RE: SSL just for a login page
Hi
I am not am expert
21 matches
Mail list logo
