[jboss-user] [JBoss Seam] - Re: sessionId cookie: man-in-the-middle attack
avbentem
do-not-reply at jboss.com
Sat Jun 2 19:12:06 EDT 2007
> your site is http, but post-login, it changes to https
Ohh, I guess you mean pre-login. Like one could be browsing a site using HTTP. Then, when clicking a login link or payment link one would get to a HTTPS page at which the credentials are entered. So, the credentials are encrypted as well.
Yes, I assume Gavin's idea to rotate the cookie whenever the protocol changes might be good.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4050712#4050712
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4050712
More information about the jboss-user
mailing list