Yes, you are probably right, I will have to use ssl. Does anybody know of some good stress testing free software???
How does this sound. 1)User logs on and username and password send over ssl. password md5 hashed and compared against users on a database. 2)If valid user logs on, if not user sent to error page. 3) rest of session ssl. if database compromised, hash value would be no use??????? Lastly, how do i enforce that the whole of the web site must be over ssl, except the initial welcome page so the user doesn't have to type in port numbers is it something like this in the web.xml file. <security-constraint> <web-resource-collection> <web-resource-name>***</web-resource-name> <url-pattern>/index.html</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>***</web-resource-name> <url-pattern>/*</url-pattern> //or will this overwrite the index.html <url-pattern>/*jsp</url-pattern> //should it be like this <url-pattern>/data/*</url-pattern> <url-pattern>/etc/*</url-pattern> //etc <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>