Ralph Einfeldt wrote:
Anybody who can listen to your traffic, can hijack a session. He just has to create a request with the same sessionid (either as cookie or in the url).I think it would be useful to be able to configure Tomcat to use the same session id when downgrading from https to http. This caters for the case where an application really does not have significant security requirements - the login is needed only to identify the user so that e.g their non-confidential preferences can be applied and it does not matter that others might masquerade as that user. In that case the session may as well be conducted in http (e.g. for performance reasons). However the password itself should always be hidden using https, because it is likely that the user will employ that same password for other applications where security *is* important.
So after you go back from https to http you open the session to an attacker.
The risks that are involved with that, depends on the application.
Note that when there are risks with the application there should be no http access at all - that's easy enough to arrange.
John
-----Original Message-----not seeing. I have heard things about session hijacking?
From: David Hemingway [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 09, 2003 7:59 AM
To: Tomcat Users List
Subject: HTTPS to HTTP
2 Does this open up a huge security hole that I am
Many thanks
regards,
Dave
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
-- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
