hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kalnichevski, Oleg" <oleg.kalnichev...@bearingpoint.com>
Subject RE: Problem maintaining sessions through HTTPS
Date Thu, 23 Oct 2003 16:18:17 GMT
> We've been examining the headers, but the server doesn't seem to send any
> cookies (in http it does, but not in https). I was assuming this was
> supposed to be done through some under-water process (I'm not very familiar
> with https), but the HttpState object does not contain any cookies in its
> cookie collection after the first request (in http it does). Is this normal?

Some application servers (IBM Websphere 4.0.x for instance) can use SSL session ID instead
of a session cookie to lookup HTTP session data on the server side. This certainly makes things
more secure, as many exploits based on stealing or faking  the session cookie are rendered
impossible.

Oleg

---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org


Mime
View raw message