javax.servlet.request.cipher_suite? Where did you get that?
Pae > Actually (hopefully I didn't snip you out of context) ... > > If a user switches from http to https - shouldn't a new session id be > assigned? If not - an attacker can swipe the session id while the user > was in http mode. Then the attacker can issue requests using https with > the httpd session id. Now this also relies on the assumption the > attacker will know the user will switch to https mode. Then there exists > the possibility the attacker can still gain some sensitive information. > (Hopefully the web app designer never displays the entire credit card > number on the screen) > > Or is there a way to additionally (programmatically) tie the session to > an SSL client?(is that what javax.servlet.request.cipher_suite is for?) > > -Tim > > Craig R. McClanahan wrote: > > > > Starting a session in http and switching to https for the sensitive part > > (i.e. fill your shopping cart on http and switch for the checkout page > > that asks for your credit card number) is fine. > > > > Switching from https to http, in the same session, is not fine. > > > > > > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
