Brian Schaefer wrote:
> So assuming this is a long term client, who periodically logs in with a
> password, you could initially use SSL on his first sign-up to pass him his
> private key. Where could you store this key between sessions? Ideally this
> would all have to be automatic and no additional work or bother for the
> user.
If you are using SSL, you presumably don't need to worry about eavesdroppers any
longer. Since *everything* you send back and forth is encrypted, you might as
well set a persistent cookie with a value that connects to the user's identity,
like many portal sites do. The HTTP headers (including this cookie) are encrypted
by the SSL layer, so there is no threat unless the hacker can crack SSL encoding
-- in which case you've got a lot more serious problems :-).
However, if you use SSL only the first time, you're still out of luck --
eavesdroppers who listen in on your subsequent communications are still in the
position that they can just send the same cookie value, and impersonate your
session. You need to encrypt everything if you're concerned about this issue.
>
> Brian
Craig
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
FAQs on JSP can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
