cookie files under normal HTTP with the
Firesheep extension for Firefox.
Cheers,
André
-Original Message-
From: Rafael Liu [mailto:rafael...@gmail.com]
Sent: den 21 juni 2011 03:12
To: Tomcat Users List
Subject: RE: Setting SSL for login pages
Good point Chuck. I agree with you, the webapp
03:12
To: Tomcat Users List
Subject: RE: Setting SSL for login pages
Good point Chuck. I agree with you, the webapp wouldn't be all secured.
But there are 2 different things here:
* the issue with the plain password
* the issue with session hijacking
The first one first gives the hacker
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Rafael,
On 6/20/2011 8:12 PM, Rafael Liu wrote:
Good point Chuck. I agree with you, the webapp wouldn't be all secured. But
there are 2 different things here:
* the issue with the plain password
* the issue with session hijacking
This does
Hey Chris,
as you said, each problem compromise different kinds of things: account vs
credentials. And I think they have different kind of consequences and can
be, each one , dangerous its own way. I brought the discussion into the list
because I thought it was relevant.
Looking at the code, a
On 21/06/2011 17:05, Rafael Liu wrote:
Hey Chris,
as you said, each problem compromise different kinds of things: account vs
credentials. And I think they have different kind of consequences and can
be, each one , dangerous its own way. I brought the discussion into the list
because I
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Rafael,
On 6/21/2011 12:05 PM, Rafael Liu wrote:
I agree it's kind of a philosophical question but I see some real
implications. Anyway, for the record, as a quick and dirty fix I set the
full URL with https schema in /form@action. But the hosting
Well, if it's the spec I guess there's no much to argue. Maybe turn it into
an option, but I already got the feeling of the community. I won't insist as
this is my specific requirement and may not be of use to a wide range of the
community.
Mark, there could be a MIM attack but that's yet another
From: Rafael Liu [mailto:rafael...@gmail.com]
Subject: Setting SSL for login pages
I think it would be natural something like this:
security-constraint
web-resource-collection
web-resource-nameSSL login/web-resource-name
url-pattern/login/*/url-pattern
Good point Chuck. I agree with you, the webapp wouldn't be all secured. But
there are 2 different things here:
* the issue with the plain password
* the issue with session hijacking
The first one first gives the hacker a private information about the user
(which can even the used by the user