dealt with as options to not outlaw
schemes that actually are used.
cheers,
Anders
- Original Message -
From: "Ralph Einfeldt" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <[EMAIL PROTECTED]>
Sent: Wednesday, April 03, 2002 09:28
Subject: AW: AW: AW: sessions,
HTTPS port.
> -Ursprüngliche Nachricht-
> Von: Craig R. McClanahan [mailto:[EMAIL PROTECTED]]
> Gesendet: Dienstag, 2. April 2002 18:47
> An: Tomcat Users List
> Betreff: Re: AW: AW: sessions, security, and the RFCs
> Servlet 2.3 (basis for Tomcat 4.x) added some specific
> requi
On Tue, 2 Apr 2002, Ralph Einfeldt wrote:
> Date: Tue, 2 Apr 2002 09:40:48 +0200
> From: Ralph Einfeldt <[EMAIL PROTECTED]>
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: Tomcat Users List <[EMAIL PROTECTED]>
> Subject: AW: AW: sessions, security, an
this topic ?
> -Ursprungliche Nachricht-
> Von: Manuel Mall [mailto:[EMAIL PROTECTED]]
> Gesendet: Donnerstag, 28. Marz 2002 06:53
> An: 'Tomcat Users List'
> Betreff: RE: AW: sessions, security, and the RFCs
> Why does Tomcat 4 implement a different session behaviour
>
> > The problem is, that if you keep the same session id after you switch to
> > https it is possible that somebody steals your secure session.
>
> Yes, of course. (Sometimes I miss the obvious.)
IMHO, HTTP session cannot do authentication. That is the job of SSL/TLS and client
certificates. The
The discussion on this thread seems to focus on the question if maintaining
sessions
across the http / https change is secure or not.
While I do agree that it is not secure to do so and I also acknowledge that
it is
common practise to do so (eg. Hotmail) the question remains what is the
correct
i
>I would say that you are partially right. It may be valid to protect passwords
>in a https session and run the rest of the app (for performance reasons) in http.
>This is BTW how Microsoft's Passport is used in Hotmail used by 100 millions of
>users so this (bad habit) is definitely not that unus
Carsten,
>As a consequence, switching from https to http and back is about equally secure as
>not using SSL at >all. So you are
>shooting yourself in the foot by thinking that everything is safe, but your webapp is
>just one very big >hole.
I would say that you are partially right. It may be
>The problem is, that if you keep the same session id after you switch to
>https it
>is possible that somebody steals your secure session. The only
That's true. At least in theory, and some crackers might come pretty close. Dump
sniffers and traffic loggers cannot read
your data with SSL, but a
s
not encrypted.
> -Ursprungliche Nachricht-
> Von: Joel Rees [mailto:[EMAIL PROTECTED]]
> Gesendet: Mittwoch, 27. Marz 2002 11:16
> An: Tomcat Users List
> Betreff: Re: sessions, security, and the RFCs
> Since only the browser which successfully logged on should
> have the
Ralph Einfeldt explained:
> The problem is, that if you keep the same session id after you switch to
> https it is possible that somebody steals your secure session.
Yes, of course. (Sometimes I miss the obvious.)
>The only information that
> is used to identify the session is the session id.
A
t Users List
Subject: sessions, security, and the RFCs
I've been watching the conversation on https, http, session switching, and
so forth. If I followed this right, it sounds as if Tomcat 4, in dropping
session information on the switch, is being RFC compliant.
...
--
To unsubscribe: <ma
An: Tomcat Users List
> Betreff: sessions, security, and the RFCs
>
> So I want to know -- what are the security implications in keeping the
> session across a switch from http to https? Is this a matter of
conforming
> to the RFCs, and, if so, what are the motivations for killing
I've been watching the conversation on https, http, session switching, and
so forth. If I followed this right, it sounds as if Tomcat 4, in dropping
session information on the switch, is being RFC compliant.
So I want to know -- what are the security implications in keeping the
session across a sw
14 matches
Mail list logo