Anybody who can listen to your traffic, can hijack a session. He just has to create a request with the same sessionid (either as cookie or in the url).
So after you go back from https to http you open the session to an attacker. The risks that are involved with that, depends on the application. > -----Original Message----- > From: David Hemingway [mailto:[EMAIL PROTECTED]] > Sent: Thursday, January 09, 2003 7:59 AM > To: Tomcat Users List > Subject: HTTPS to HTTP > > > 2 Does this open up a huge security hole that I am not seeing. I have heard things about session hijacking? Many thanks regards, Dave -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
