if session apis and request dispatchers are used for "internal" redirection, is there still any security hole??

Craig R. McClanahan wrote:

On Fri, 18 Oct 2002, Henrik Bentel wrote:


Date: Fri, 18 Oct 2002 23:07:17 +0000
From: Henrik Bentel <[EMAIL PROTECTED]>
Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: problem with session tracking and redirection http<---> https



yeah, I always encode the redirection URL.
it's waird that it works if the session is created which under http, but not
under https.

bug maybe?


Nope ... avoidance of a huge security hole.

Once a session is accessed via https, it should never ever be allowed to
be accessed from http again. The reason for this is that the session id
is transmitted in clear text, so anyone who can snoop the network can
hijack your session and impersonate the originally authenticated user
(even if that user originally authenticated on an encrypted channel).

Do not, under any circumstances, design applications that depend on
maintaining session state across an https --> http transition.

Craig McClanahan


--
To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>


--
Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/

Reply via email to