If a user switches from http to https - shouldn't a new session id be assigned? If not - an attacker can swipe the session id while the user was in http mode. Then the attacker can issue requests using https with the httpd session id. Now this also relies on the assumption the attacker will know the user will switch to https mode. Then there exists the possibility the attacker can still gain some sensitive information. (Hopefully the web app designer never displays the entire credit card number on the screen)
Or is there a way to additionally (programmatically) tie the session to an SSL client?(is that what javax.servlet.request.cipher_suite is for?)
-Tim
Craig R. McClanahan wrote:
Starting a session in http and switching to https for the sensitive part (i.e. fill your shopping cart on http and switch for the checkout page that asks for your credit card number) is fine.Switching from https to http, in the same session, is not fine.
-- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
