From http://edocs.bea.com/wls/docs92/security/thin_client.html:
... a Web site designer can ensure that session stealing is not a problem by making all sensitive data require HTTPS. Don't know if that helps. Matt On 4/26/07, pankaj singla <[EMAIL PROTECTED]> wrote:
Hi, I have a question regarding security for cookies. We are using cookies for session tracking. But we are concerned that some malicious user could get session id stored in the cookie. Our testing team got this: Set-Cookie: JSESSIONID=5H5EJCZrWZw-V4l2JuC8wNnUimE; path=/app; secure So, they are concerned that this sessionid could be used for attack on the site and suggested using httponly flag. Do you think this compromise our security and is there a workaround. Thanks, Pankaj __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
-- http://raibledesigns.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
