sessions, security, and the RFCs

[Joel Rees <jo...@alpsgiken.gr.jp>]

I've been watching the conversation on https, http, session switching, and
so forth. If I followed this right, it sounds as if Tomcat 4, in dropping
session information on the switch, is being RFC compliant.

So I want to know -- what are the security implications in keeping the
session across a switch from http to https? Is this a matter of conforming
to the RFCs, and, if so, what are the motivations for killing the session
when crossing the line?

One problem I can think of, keeping the same session across the switch would
require a lot of discipline on the programmer's part, to avoid revealing
sensitive data to a browser window that had switched back to http.

I am thinking that one solution might be to record the session information
and session-id in a database on the server, since the server should know
what it is assigning assigning to whom and when. I'm not sure what that
buys,
as opposed to keeping the same session. Also not sure whether it might open
more holes to hijacking and spoofs.

Found some comments in the archives on the port numbers causing problems
with session ids for Netscape, but not for IE. (Which causes me to think
that keeping the session open across the switch from http to https may be a
typical Microsfot shot-you-in-the-foot shortcut.)

Would appreciate some pointers where else to look.

Joel Rees
Alps Giken Kansai Systems Develoment
Suita, Osaka





--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>