Like I said, you're session is open to snooping and hijacking, but your password is not revealed.
> -----Original Message----- > From: Ralph Einfeldt [mailto:[EMAIL PROTECTED]] > Sent: Friday, August 09, 2002 9:38 AM > To: Tomcat Users List > Subject: AW: SSL just for a login page > > > That's no solution, as now the oneway hash can be snooped > and hijacked. You win absolutly nothing but wasted efford. > > > -----Ursprüngliche Nachricht----- > > Von: Durham David Cntr 805CSS/SCBE > [mailto:[EMAIL PROTECTED]] > > Gesendet: Freitag, 9. August 2002 16:30 > > An: Tomcat Users List > > Betreff: RE: SSL just for a login page > > > > 2) After a successful login, (still ssl, don't put anything > > session yet) pass the user's ID and a one-way hashed version > > of their password to a non ssl page that authenticates this > > information and sets up their session. > > > > -- > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
