On Wed, Oct 7, 2009 at 12:25 PM, Marvin Addison <[email protected]>wrote:
<snip /> > > If yes, then this is what you meant in your earlier reply that the > session token is exposed? > > I am fairly certain he meant the application server session > identifier. If your application maintains any sort of state, then a > session ID cookie of some sort is sent back to the browser. Failure > to send this cookie over a secure channel enables man-in-the-middle > attacks against your application. > Yes, that's what I meant. Thanks, Marvin. I think you've read too many of my emails over the years ;-) > M > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
