tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Maninder S Batth <anywherei...@netscape.net>
Subject Re: problem with session tracking and redirection http<---> https
Date Sat, 19 Oct 2002 02:28:59 GMT
please correct me if i am wrong. Session id could be hijacked anytime if 
it is transmitted as clear text. so once user has loged in , and user 
gets new session id , this session id could be sniffed
and the person can still be impersonated.??  how is this related to 
https-->http transitiion?

Craig R. McClanahan wrote:

>On Fri, 18 Oct 2002, Henrik Bentel wrote:
>
>  
>
>>Date: Fri, 18 Oct 2002 23:07:17 +0000
>>From: Henrik Bentel <henrik_bentel@hotmail.com>
>>Reply-To: Tomcat Users List <tomcat-user@jakarta.apache.org>
>>To: tomcat-user@jakarta.apache.org
>>Subject: Re: problem with session tracking and redirection http<---> https
>>
>>
>>
>>yeah, I always encode the redirection URL.
>>it's waird that it works if the session is created which under http, but not
>>under https.
>>
>>bug maybe?
>>
>>    
>>
>
>Nope ... avoidance of a huge security hole.
>
>Once a session is accessed via https, it should never ever be allowed to
>be accessed from http again.  The reason for this is that the session id
>is transmitted in clear text, so anyone who can snoop the network can
>hijack your session and impersonate the originally authenticated user
>(even if that user originally authenticated on an encrypted channel).
>
>Do not, under any circumstances, design applications that depend on
>maintaining session state across an https --> http transition.
>
>Craig McClanahan
>
>
>--
>To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
>For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>
>
>  
>

-- 
Your favorite stores, helpful shopping tools and great gift ideas. 
Experience the convenience of buying online with Shop@Netscape! 
http://shopnow.netscape.com/


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message