tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ralph Einfeldt" <ralph.einfe...@uptime-isc.de>
Subject RE: HTTPS to HTTP
Date Thu, 09 Jan 2003 07:59:30 GMT

Anybody who can listen to your traffic, can hijack 
a session. He just has to create a request with the 
same sessionid (either as cookie or in the url).

So after you go back from https to http you open 
the session to an attacker.

The risks that are involved with that, depends on the 
application.

> -----Original Message-----
> From: David Hemingway [mailto:dbh001@kooee.com.au]
> Sent: Thursday, January 09, 2003 7:59 AM
> To: Tomcat Users List
> Subject: HTTPS to HTTP
> 
> 
> 2 Does this open up a huge security hole that I am 
not seeing. I have heard things about session hijacking?

Many thanks
regards,

Dave

--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message