httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Krist van Besien <krist.vanbes...@gmail.com>
Subject Re: [users@httpd] Re: HTTPS only for login page (when apache front tomcat)
Date Thu, 22 Apr 2010 13:04:00 GMT
On Thu, Apr 22, 2010 at 1:38 PM, Nicholas Sherlock <n.sherlock@gmail.com> wrote:
> On 22/04/2010 5:29 p.m., Krist van Besien wrote:
>>
>> Just consider the following:
>> - You direct a user to a login form. He enters username and password,
>> gets authenticated and receives a session cookie from the server.
>> - This session cookie is sent with each subsequent request, so that
>> the requests can be associated with an authenticated user.
>> - Someone intercepts this cookie by eavesdropping on the line. With
>> this cookie this person can now impersonate the user without knowing
>> the user's username or password...
>
> Very true. However, it does protect the user's username and password. A
> large proportion of users use the same password for everything online. You
> don't want a login sniffed from your site to be used to breach the user's
> bank account.

There is in my opinion no good reason not to have https for the whole
session. The "performance" argument doesn't really apply anymore in a
time that you can buy several webservers for the cost of employing one
webserver specialist for a day...

Krist

-- 
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message