Return-Path: Delivered-To: apmail-jakarta-tomcat-user-archive@apache.org Received: (qmail 46322 invoked from network); 9 Jan 2003 07:59:44 -0000 Received: from exchange.sun.com (192.18.33.10) by daedalus.apache.org with SMTP; 9 Jan 2003 07:59:44 -0000 Received: (qmail 4303 invoked by uid 97); 9 Jan 2003 08:00:54 -0000 Delivered-To: qmlist-jakarta-archive-tomcat-user@jakarta.apache.org Received: (qmail 4287 invoked by uid 97); 9 Jan 2003 08:00:53 -0000 Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Users List" Reply-To: "Tomcat Users List" Delivered-To: mailing list tomcat-user@jakarta.apache.org Received: (qmail 4274 invoked by uid 98); 9 Jan 2003 08:00:52 -0000 X-Antivirus: nagoya (v4218 created Aug 14 2002) Subject: RE: HTTPS to HTTP MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Thu, 9 Jan 2003 08:59:30 +0100 Message-ID: content-class: urn:content-classes:message X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: HTTPS to HTTP Thread-Index: AcK3q/Y5OY1aWVZFSLSt8rTcwX4gGAABpIAA From: "Ralph Einfeldt" To: "Tomcat Users List" X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Anybody who can listen to your traffic, can hijack=20 a session. He just has to create a request with the=20 same sessionid (either as cookie or in the url). So after you go back from https to http you open=20 the session to an attacker. The risks that are involved with that, depends on the=20 application. > -----Original Message----- > From: David Hemingway [mailto:dbh001@kooee.com.au] > Sent: Thursday, January 09, 2003 7:59 AM > To: Tomcat Users List > Subject: HTTPS to HTTP >=20 >=20 > 2 Does this open up a huge security hole that I am=20 not seeing. I have heard things about session hijacking? Many thanks regards, Dave -- To unsubscribe, e-mail: For additional commands, e-mail: