Re: problem with session tracking and redirection http<---> https

Fri, 18 Oct 2002 23:12:21 -0700 


On Fri, 18 Oct 2002, Maninder S Batth wrote:

> Date: Fri, 18 Oct 2002 20:11:31 -0700
> From: Maninder S Batth <[EMAIL PROTECTED]>
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Re: problem with session tracking and redirection http<---> https
>
>  if  session apis and request dispatchers are used for "internal"
> redirection, is there still any security hole??
>

No, but you can't switch from http to https (or from https to http) across
a RequestDispatcher.forward call.  The response will be sent on the same
protocol used to submit the request.

Craig

> Craig R. McClanahan wrote:
>
> >On Fri, 18 Oct 2002, Henrik Bentel wrote:
> >
> >
> >
> >>Date: Fri, 18 Oct 2002 23:07:17 +0000
> >>From: Henrik Bentel <[EMAIL PROTECTED]>
> >>Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> >>To: [EMAIL PROTECTED]
> >>Subject: Re: problem with session tracking and redirection http<---> https
> >>
> >>
> >>
> >>yeah, I always encode the redirection URL.
> >>it's waird that it works if the session is created which under http, but not
> >>under https.
> >>
> >>bug maybe?
> >>
> >>
> >>
> >
> >Nope ... avoidance of a huge security hole.
> >
> >Once a session is accessed via https, it should never ever be allowed to
> >be accessed from http again.  The reason for this is that the session id
> >is transmitted in clear text, so anyone who can snoop the network can
> >hijack your session and impersonate the originally authenticated user
> >(even if that user originally authenticated on an encrypted channel).
> >
> >Do not, under any circumstances, design applications that depend on
> >maintaining session state across an https --> http transition.
> >
> >Craig McClanahan
> >
> >
> >--
> >To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@;jakarta.apache.org>
> >For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>
> >
> >
> >
>
> --
> Your favorite stores, helpful shopping tools and great gift ideas.
> Experience the convenience of buying online with Shop@Netscape!
> http://shopnow.netscape.com/
>
>


--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@;jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>

Reply via email to