[jboss-user] [JBoss Seam] - Re: sessionId cookie: man-in-the-middle attack
avbentem
do-not-reply at jboss.com
Sun Jun 3 13:48:18 EDT 2007
> browsers don't actually maintain two session ids,
> one for HTTP and one for HTTPS
Ohhh, good thinking...!
You might know that a cookie can be set to be secure, and should then not be used for plain HTTP. I guess all browsers support that and won't send secure cookies over non-SSL connections.
Of course we can also find specifications for the specific situation you describe, but I doubt one can rely on those being implemented alike by all browsers. Like what happens while switching, and while using HTTP and HTTPS simultaneously. Maybe some browser sends back two cookies for SSL connections: both the HTTP and HTTPS cookies -- but then how would one tell from the HTTP header which is which... And another browser or a future version might do it differently I suppose. So: that's not going to help.
I assume the actual session handling is not done by Seam, right? (thus: one cannot use different cookie names for HTTP and HTTPS)
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4050757#4050757
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4050757
More information about the jboss-user
mailing list