[jboss-user] [JBoss Seam] - Re: sessionId cookie: man-in-the-middle attack
gavin.king@jboss.com
do-not-reply at jboss.com
Sun Jun 3 13:25:34 EDT 2007
anonymous wrote : Old session data should then be copied to new session.
OK, I guess I can see how this is useful in some cases of upgrading from HTTP to HTTPS, but actually I was thinking more of the opposite case of HTTPS back down to HTTP. At this point the session data should be destroyed, since it can have sensitive information in it (esp. in a stateful Seam app).
However, my current implementation didn't account for multi-window operation (!) so I will have to actually enhance it to "remember" the latest scheme because (correct me if I'm wrong) browsers don't actually maintain two session ids, one for HTTP and one for HTTPS, they just pop up an impenetrable and ignorable dialog to the user saying "you are about to change from a secure to an insecure connection". Right?
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4050754#4050754
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4050754
More information about the jboss-user
mailing list