tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: session hijacking again
Date Wed, 31 Jan 2007 01:40:05 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mitchell,

Fisher, Mitchell L wrote:
>> Without SSL, though, remember that anyone who is capable of hijacking
>> the session is probably also capable of sniffing your users'
>> credentials. What are the implications of that? If it is unacceptable
> to
>> have your credentials go over the network in cleartext, then you will
>> simply have to break down and use SSL.
> 
> How practical is it to use NTLM authentication w/ Tomcat?

I dunno.

> And if not NTLM, then Digest Authentication, while not as strong as
> NTLM, is supported by Tomcat.  Either prevents transmission of
> credentials in clear text.

Fair enough, but John already pointed out that he will be using SSL for
the login process, even though they do not use SSL for the user's entire
session.

- -chris

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFv/N19CaO5/Lv0PARAv0yAJ4rhd4nUkyu0k9MOoBXcd9VyKDYQQCgs8u1
0HCzlbPYGP+4Q102PCRU3z4=
=uND5
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message