> From: Paul Roberts [mailto:[EMAIL PROTECTED] > I was wondering, over and above encrypting the communications > channel how does HTTPS help to prevent session ID hijacking?
To my knowledge, it doesn't (better heads than me may wish to contradict me here). But keeping a randomly-generated session ID encrypted during communication is exactly as strong as keeping (say) your credit card information, or your bank account login and password encrypted across the wire. It's pretty clear that most organisations are willing to trust SSL for financial information; if you are doing something that requires higher security than that, you'll want to investigate additional mechanisms such as client certificates. - Peter --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]