wood burning stoves*
The moose likes Servlets and the fly likes Security hasard? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "Security hasard?" Watch "Security hasard?" New topic
Author

Security hasard?

Christopher Arthur
Ranch Hand

Joined: Mar 09, 2004
Posts: 149
I have noticed that a lot of web servers with user accounts handle security by using https for the login page, but after successful login, all communication is handled via just http. Is this a security hasard?

Suppose someone is listening in (is this even possible) on my computer and I login to some service which uses https, so I can feel confident that my username and password are secure. The server issues me a session id and then reverts to http for subsequent communications? So since the session id is being passed unencrypted, can't the listener figure out what it is and start sending his own communications using my session id? He wouldn't even seem to need to know by password/username to ghost me as long as the id is valid.

Regards,

C.Arthur
Daniel Rhoades
Ranch Hand

Joined: Jun 30, 2004
Posts: 186
Chris what you are talking about is session hijacking, and yes its possible. One way to help prevent this is to keep the channel encrypted after login


Drinking more tea is the key...
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Security hasard?
 
Similar Threads
Concurrent Authentication problem with intercept-url
Login ID and Password for WebSphere admin console
Question about designing a web-service security mechanism used with desktop client
Authentication over ssl in jsp
not getting the session value on page..!!!