[jboss-user] [JBoss Seam] - Re: Redirect to HTTPS
do-not-reply at jboss.com
Thu Mar 1 13:26:16 EST 2007
while I'm certainly happy that http<->https switching functionality is available (that's what I've been asking for) I was wondering if you implemented any security precautions because by switching from https back to http you open a security hole if you rely only on the jsessionid cookie / request parameter.
I.e: I login via https and get redirected - after correctly login in - to a http page. Now my sessionid was transmitted unencrypted and everyone who can listen to my network traffic can hijack my session simply by using the same sessionid (the only problem might be that the ips are different so the attacker has to be behind the same proxy).
Any clarification please ;) ?
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4024422#4024422
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4024422
More information about the jboss-user