On Thu, 17 Oct 2002, Henrik Bentel wrote:
> Date: Thu, 17 Oct 2002 04:45:21 +0000 > From: Henrik Bentel <[EMAIL PROTECTED]> > Reply-To: Tomcat Users List <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Re: problem with session tracking and redirection http<---> https > > > ok, I see your point. > My approach is that I only use https to scramble the login request itself, > so that a login password cannot be read,or sniffed, in clear text(it > probably still can, if someone really, really tries). Nothing critical is > stored in the http session itself. Doing this would be a total waste of time from a security perspective. Nobody needs to see the password if they can see the session id and hijack your session after you've logged on. The only thing hiding the password does is give you a false sense of security. > A lot of websites do something similar, where only the password part is > secure, and subsequent pages are insecure. and to change password, the old > one has to be entered. I guess I'm a bit of a loss for a better way to do > this?? Any well known approaches out there? > My advice would be to not use such applications yourself -- they can clearly be hacked, so they are not trustworthy. > > -Henrik > Craig McClanahan -- To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>
