You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jagadeesha T <ja...@yahoo.com> on 2005/07/29 14:59:03 UTC
Session Security
Hi All,
Cookie information goes to the server in a clear text I think. I don't know it can be
configured to send as a cypher text.
When it goes in the network to browser, If not ssl enabled, Cookie;Jsessionid;value can be seen through Ethereal and also copied, If anybody tries with that cookie with the url.
It will take the person to directly to that page.How can disable it.
Please could anybody tell me how to avoid it.
Thanks,
Jagadeesha T
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Re: Session Security
Posted by Martin Bromley <ma...@sustainable-energy.co.uk>.
Simple solution: use SSL for all pages that have a session. AFAIK there's no way to keep a session secure without it all being over SSL.
So the login process must be over SSL, and then everything until log-out should be over SSL also (I'm making the assumption that you're only using sessions for a restricted area of the site).
See www.owasp.org for excellent information on securing web apps.
http://www.owasp.org/documentation/topten/a3.html covers session management.
Martin
Jagadeesha T wrote:
> Hi All,
> Cookie information goes to the server in a clear text I think. I don't know it can be
> configured to send as a cypher text.
> When it goes in the network to browser, If not ssl enabled, Cookie;Jsessionid;value can be seen through Ethereal and also copied, If anybody tries with that cookie with the url.
> It will take the person to directly to that page.How can disable it.
> Please could anybody tell me how to avoid it.
>
> Thanks,
> Jagadeesha T
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org