tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Bromley <martin.brom...@sustainable-energy.co.uk>
Subject Re: Session Security
Date Fri, 29 Jul 2005 13:08:15 GMT
Simple solution: use SSL for all pages that have a session.  AFAIK there's no way to keep a
session secure without it all being over SSL.

So the login process must be over SSL, and then everything until log-out should be over SSL
also (I'm making the assumption that you're only using sessions for a restricted area of the
site).

See www.owasp.org for excellent information on securing web apps.  

http://www.owasp.org/documentation/topten/a3.html covers session management.

Martin

Jagadeesha T wrote:
> Hi All,
>         Cookie information goes to the server in a clear text I think. I don't know it
can be 
> configured to send as a  cypher text. 
> When it goes in the network to browser, If not ssl enabled, Cookie;Jsessionid;value can
be seen through Ethereal and also copied, If anybody tries with that cookie with the url.
> It will take the person to directly to that page.How can disable it.
> Please could anybody tell me how to avoid it. 
>  
> Thanks,
> Jagadeesha T
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message