tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ralph Einfeldt" <ralph.einfe...@uptime-isc.de>
Subject AW: AW: AW: sessions, security, and the RFCs
Date Wed, 03 Apr 2002 07:28:07 GMT

I can't find in the spec that the session shall
be maintained if you switch from http to https. 

Can you provide a reference?

Wouldn't this be as dangerous as to keep the 
session after you go back from SSL to non-SSL ? 
As I see it, this would open the door to anyone 
who could listen to the http network traffic to 
steel the secure session.

| SRV.7.1.2 SSL Sessions
| Secure Sockets Layer, the encryption technology 
| used in the HTTPS protocol, has a mechanism built 
| into it allowing multiple requests from a client 
| to be unambiguously identified as being part of a 
| session. A servlet container can easily use this 
| data to define a session.

| 12.8 ...
| The container must at least use SSL to respond to
| requests to resources marked integral or confidential. 
| If the original request was over HTTP, the container 
| must redirect the client to the HTTPS port.

> -----Urspr√ľngliche Nachricht-----
> Von: Craig R. McClanahan [mailto:craigmcc@apache.org]
> Gesendet: Dienstag, 2. April 2002 18:47
> An: Tomcat Users List
> Betreff: Re: AW: AW: sessions, security, and the RFCs
<snip/>
> Servlet 2.3 (basis for Tomcat 4.x) added some specific 
> requirements (such as the ability to redirect from the 
> non-SSL port to the SSL port and maintain the session).
<snip/>
> Note -- anyone who goes from the SSL port back to the 
> non-SSL port has just created a security hole.

--
To unsubscribe:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands: <mailto:tomcat-user-help@jakarta.apache.org>
Troubles with the list: <mailto:tomcat-user-owner@jakarta.apache.org>


Mime
View raw message