Simple solution: use SSL for all pages that have a session. AFAIK there's no
way to keep a session secure without it all being over SSL.
So the login process must be over SSL, and then everything until log-out should
be over SSL also (I'm making the assumption that you're only using sessions for
a restricted area of the site).
See www.owasp.org for excellent information on securing web apps.
http://www.owasp.org/documentation/topten/a3.html covers session management.
Martin
Jagadeesha T wrote:
Hi All,
Cookie information goes to the server in a clear text I think. I don't know it can be
configured to send as a cypher text.
When it goes in the network to browser, If not ssl enabled, Cookie;Jsessionid;value can be seen through Ethereal and also copied, If anybody tries with that cookie with the url.
It will take the person to directly to that page.How can disable it.
Please could anybody tell me how to avoid it.
Thanks,
Jagadeesha T
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
