Do you think that it would be smart and/or desirable to 'enforce' the check for all people that use sessions with SSL? In other words, if you have a TC session, and you're running things over SSL, we enforce the TC session ID and SSL session ID match.
If there are security experts out there (Christopher?) that are willing to contribute, I'd really appreciate it. Bojan GOMEZ Henri wrote: >>Is the request attribute "javax.servlet.request.ssl_session" >>(in TC 3.3) >>a 'standard' attribute that keeps the SSL session ID? Is there a spec >>that defines it? >> > > No, it's not on the specs and even if you find this information > on some servers (Apache + mod_ssl for example), there is > still some web server where it won't be available (IIS I think) > and so couldn't be forwarded by mod_jk .... > > >>It seems like an extremely important part of keeping the users from >>bumping into each others TC session 'by accident' (or should I say by >>cracking). >> > > Yes it's something you could use to verify that nobody is hacking > your sessionid, but I feel that any serious webapp application > must run under SSL .... > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
