Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 39027 invoked from network); 31 Jan 2007 01:38:44 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 31 Jan 2007 01:38:44 -0000 Received: (qmail 43742 invoked by uid 500); 31 Jan 2007 01:38:36 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 43724 invoked by uid 500); 31 Jan 2007 01:38:36 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 43710 invoked by uid 99); 31 Jan 2007 01:38:36 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 30 Jan 2007 17:38:36 -0800 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: neutral (herse.apache.org: local policy) Received: from [204.127.200.84] (HELO sccrmhc14.comcast.net) (204.127.200.84) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 30 Jan 2007 17:38:26 -0800 Received: from [192.168.1.47] (c-69-143-26-154.hsd1.va.comcast.net[69.143.26.154]) by comcast.net (sccrmhc14) with ESMTP id <2007013101380501400hkml4e>; Wed, 31 Jan 2007 01:38:05 +0000 Message-ID: <45BFF375.2000603@christopherschultz.net> Date: Tue, 30 Jan 2007 20:40:05 -0500 From: Christopher Schultz User-Agent: Thunderbird 2.0b2 (Windows/20070116) MIME-Version: 1.0 To: Tomcat Users List Subject: Re: session hijacking again References: In-Reply-To: X-Enigmail-Version: 0.94.1.2.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mitchell, Fisher, Mitchell L wrote: >> Without SSL, though, remember that anyone who is capable of hijacking >> the session is probably also capable of sniffing your users' >> credentials. What are the implications of that? If it is unacceptable > to >> have your credentials go over the network in cleartext, then you will >> simply have to break down and use SSL. > > How practical is it to use NTLM authentication w/ Tomcat? I dunno. > And if not NTLM, then Digest Authentication, while not as strong as > NTLM, is supported by Tomcat. Either prevents transmission of > credentials in clear text. Fair enough, but John already pointed out that he will be using SSL for the login process, even though they do not use SSL for the user's entire session. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFv/N19CaO5/Lv0PARAv0yAJ4rhd4nUkyu0k9MOoBXcd9VyKDYQQCgs8u1 0HCzlbPYGP+4Q102PCRU3z4= =uND5 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org