tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From footh <>
Subject Re: SSL and form-based login
Date Sun, 21 Nov 2004 18:53:52 GMT
The URL in the browser is the URL of the protected
page I'm trying to access.  So, for example if
/test/test.jsp is protected by forms-login and I click
a link to that page, /test/test.jsp will be the URL in
the browser, but the login page will appear on the

I am sure I didn't already accept the certificate as
after I hit the login page, instead of logging in, I
type in the URL to the home page but use https and the
certificate dialog box comes up.  Then I press cancel,
and repeat the process, and once again the certificate
box comes up.

--- wrote:

> On Sat, Nov 20, 2004 at 04:59:31PM -0800, footh
> wrote:
> > SSL seems to be working fine, however, I don't
> believe
> > the login page is using SSL.  The reason being is,
> > when I try to hit any other page on the site with
> SSL,
> > my browser invokes the certificate dialog box. 
> > However, when the form-based login forces the
> redirect
> > to my custom login page, I don't get the
> certificate
> > dialog box.  Here's a snippet the relevant parts
> of
> > web.xml (sorry if the formatting is bad):
> 	Does your browser url say https?  If so, it should
> be in 
> secure mode.  Are you sure you didn't already accept
> the
> certificate during your browser session?  Try
> sniffing your
> network traffic to make sure though.
> > However, all these types of posts seem to be
> several
> > years old.  Is this still a bad switch
> from
> > https to http?
> 	That depends on what you're trying to guarantee.
> 	If you're just trying to protect the password
> information that is
> entered during login, then switching back to http is
> ok.
> 	However, since the subsequent traffic is
> unencrypted an attacker could
> observe the sessionid that is used and hijack the
> session, often without
> any immediate indication of a problem from the
> user's point of view.
> 	If you're paranoid you'll want to do things like
> make sure a _new_
> sessionid is created once you jump into https mode,
> and cause any non-https
> access using that new sessionid to instantly
> invalidate the session.
> (although as soon as there's any non-encrypted
> access with a given
> sessionid the attacker can theoretically race your
> session-killing request
> and create some havoc)
> 	For the slightly less paranoid, identifying the
> sensitive portions
> of your application and gating them with another
> https enabled password
> page might be reasonable.
> 	It all depends on how worried you are and how much
> effort you
> think someone will put into circumventing your
> security.  
> eric
> To unsubscribe, e-mail:
> For additional commands, e-mail:

Do you Yahoo!? 
Meet the all-new My Yahoo! - Try it today! 

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message