[jboss-user] [JBoss Seam] - Re: sessionId cookie: man-in-the-middle attack

[avbentem]

> browsers don't actually maintain two session ids,
> one for HTTP and one for HTTPS

Ohhh, good thinking...!

You might know that a cookie can be set to be secure, and should then not be used for plain HTTP. I guess all browsers support that and won't send secure cookies over non-SSL connections.

Of course we can also find specifications for the specific situation you describe, but I doubt one can rely on those being implemented alike by all browsers. Like what happens while switching, and while using HTTP and HTTPS simultaneously. Maybe some browser sends back two cookies for SSL connections: both the HTTP and HTTPS cookies -- but then how would one tell from the HTTP header which is which... And another browser or a future version might do it differently I suppose. So: that's not going to help.

I assume the actual session handling is not done by Seam, right? (thus: one cannot use different cookie names for HTTP and HTTPS)


View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4050757#4050757

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4050757