tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Peter Crowther" <>
Subject RE: Tomcat IP and Session ID's
Date Fri, 24 Feb 2006 14:40:57 GMT
> From: Paul Roberts [] 
> I was wondering, over and above encrypting the communications 
> channel how does HTTPS help to prevent session ID hijacking?

To my knowledge, it doesn't (better heads than me may wish to contradict
me here).  But keeping a randomly-generated session ID encrypted during
communication is exactly as strong as keeping (say) your credit card
information, or your bank account login and password encrypted across
the wire.  It's pretty clear that most organisations are willing to
trust SSL for financial information; if you are doing something that
requires higher security than that, you'll want to investigate
additional mechanisms such as client certificates.

		- Peter

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message