It's not a secret anymore!*
The moose likes Servlets and the fly likes Security hasard? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


JavaRanch » Java Forums » Java » Servlets
Bookmark "Security hasard?" Watch "Security hasard?" New topic
Author

Security hasard?

Christopher Arthur
Ranch Hand

Joined: Mar 09, 2004
Posts: 149
I have noticed that a lot of web servers with user accounts handle security by using https for the login page, but after successful login, all communication is handled via just http. Is this a security hasard?

Suppose someone is listening in (is this even possible) on my computer and I login to some service which uses https, so I can feel confident that my username and password are secure. The server issues me a session id and then reverts to http for subsequent communications? So since the session id is being passed unencrypted, can't the listener figure out what it is and start sending his own communications using my session id? He wouldn't even seem to need to know by password/username to ghost me as long as the id is valid.

Regards,

C.Arthur
Daniel Rhoades
Ranch Hand

Joined: Jun 30, 2004
Posts: 186
Chris what you are talking about is session hijacking, and yes its possible. One way to help prevent this is to keep the channel encrypted after login


Drinking more tea is the key...
 
GeeCON Prague 2014
 
subject: Security hasard?