> From: Paul Roberts [mailto:[EMAIL PROTECTED]
> I was wondering, over and above encrypting the communications
> channel how does HTTPS help to prevent session ID hijacking?
To my knowledge, it doesn't (better heads than me may wish to contradict
me here). But keeping a randomly-generated session ID encrypted during
communication is exactly as strong as keeping (say) your credit card
information, or your bank account login and password encrypted across
the wire. It's pretty clear that most organisations are willing to
trust SSL for financial information; if you are doing something that
requires higher security than that, you'll want to investigate
additional mechanisms such as client certificates.
- Peter
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
