tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Bromley <>
Subject Re: Session Security
Date Fri, 29 Jul 2005 13:08:15 GMT
Simple solution: use SSL for all pages that have a session.  AFAIK there's no way to keep a
session secure without it all being over SSL.

So the login process must be over SSL, and then everything until log-out should be over SSL
also (I'm making the assumption that you're only using sessions for a restricted area of the

See for excellent information on securing web apps. covers session management.


Jagadeesha T wrote:
> Hi All,
>         Cookie information goes to the server in a clear text I think. I don't know it
can be 
> configured to send as a  cypher text. 
> When it goes in the network to browser, If not ssl enabled, Cookie;Jsessionid;value can
be seen through Ethereal and also copied, If anybody tries with that cookie with the url.
> It will take the person to directly to that page.How can disable it.
> Please could anybody tell me how to avoid it. 
> Thanks,
> Jagadeesha T
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message