httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Krist van Besien <>
Subject Re: [users@httpd] Re: HTTPS only for login page (when apache front tomcat)
Date Thu, 22 Apr 2010 13:04:00 GMT
On Thu, Apr 22, 2010 at 1:38 PM, Nicholas Sherlock <> wrote:
> On 22/04/2010 5:29 p.m., Krist van Besien wrote:
>> Just consider the following:
>> - You direct a user to a login form. He enters username and password,
>> gets authenticated and receives a session cookie from the server.
>> - This session cookie is sent with each subsequent request, so that
>> the requests can be associated with an authenticated user.
>> - Someone intercepts this cookie by eavesdropping on the line. With
>> this cookie this person can now impersonate the user without knowing
>> the user's username or password...
> Very true. However, it does protect the user's username and password. A
> large proportion of users use the same password for everything online. You
> don't want a login sniffed from your site to be used to breach the user's
> bank account.

There is in my opinion no good reason not to have https for the whole
session. The "performance" argument doesn't really apply anymore in a
time that you can buy several webservers for the cost of employing one
webserver specialist for a day...


Bremgarten b. Bern, Switzerland
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message