tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Anders Rundgren" <anders.rundg...@telia.com>
Subject Re: sessions, security, and the RFCs
Date Wed, 03 Apr 2002 08:52:15 GMT
Ralph,
I could not find anything that disallow switching between https and http
in any order while maintaining.  Although not a particularly good
idea, it is anyhow used "out there" to protect passwords but be
less protective about the session.

I think that security issues should be dealt with as options to not outlaw
schemes that actually are used.

cheers,
Anders

----- Original Message -----
From: "Ralph Einfeldt" <ralph.einfeldt@uptime-isc.de>
To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
Sent: Wednesday, April 03, 2002 09:28
Subject: AW: AW: AW: sessions, security, and the RFCs



I can't find in the spec that the session shall
be maintained if you switch from http to https.

Can you provide a reference?

Wouldn't this be as dangerous as to keep the
session after you go back from SSL to non-SSL ?
As I see it, this would open the door to anyone
who could listen to the http network traffic to
steel the secure session.

| SRV.7.1.2 SSL Sessions
| Secure Sockets Layer, the encryption technology
| used in the HTTPS protocol, has a mechanism built
| into it allowing multiple requests from a client
| to be unambiguously identified as being part of a
| session. A servlet container can easily use this
| data to define a session.

| 12.8 ...
| The container must at least use SSL to respond to
| requests to resources marked integral or confidential.
| If the original request was over HTTP, the container
| must redirect the client to the HTTPS port.

> -----Urspr√ľngliche Nachricht-----
> Von: Craig R. McClanahan [mailto:craigmcc@apache.org]
> Gesendet: Dienstag, 2. April 2002 18:47
> An: Tomcat Users List
> Betreff: Re: AW: AW: sessions, security, and the RFCs
<snip/>
> Servlet 2.3 (basis for Tomcat 4.x) added some specific
> requirements (such as the ability to redirect from the
> non-SSL port to the SSL port and maintain the session).
<snip/>
> Note -- anyone who goes from the SSL port back to the
> non-SSL port has just created a security hole.

--
To unsubscribe:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands: <mailto:tomcat-user-help@jakarta.apache.org>
Troubles with the list: <mailto:tomcat-user-owner@jakarta.apache.org>



--
To unsubscribe:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands: <mailto:tomcat-user-help@jakarta.apache.org>
Troubles with the list: <mailto:tomcat-user-owner@jakarta.apache.org>


Mime
View raw message