tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Crowther <peter.crowt...@melandra.com>
Subject Re: Toggling
Date Wed, 06 Jan 2010 09:36:31 GMT
2010/1/6 Nikita Manohar <nikita.manohar@gmail.com>

> The trigger here is suppose in a web application there is a welcome page
> which is to be re-directed to a user's homepage after login. The secure
> information (login page) should be toggled to https and the rest as http.
>
> Is it possible to do so automatically?
>
> This is asked fairly regularly on this list - search the archives for
"secure login" and I suspect you'll come up with many examples.

However, I think you have a security problem with your application.  Is the
user's session identity somehow less valuable than the user's password?  If
the session identity is stolen after login (easy over normal HTTP - just
sniff the cookie or the URL, whichever contains the session ID) then an
attacker can do anything the user could do.  Is this an acceptable security
risk?  If not, you should simply run everything over SSL.  With modern
processors and typical web applications, the extra CPU cycles required for
SSL at the server are rarely a concern.

- Peter

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message