File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Security hasard?

 
Christopher Arthur
Ranch Hand
Posts: 149
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have noticed that a lot of web servers with user accounts handle security by using https for the login page, but after successful login, all communication is handled via just http. Is this a security hasard?

Suppose someone is listening in (is this even possible) on my computer and I login to some service which uses https, so I can feel confident that my username and password are secure. The server issues me a session id and then reverts to http for subsequent communications? So since the session id is being passed unencrypted, can't the listener figure out what it is and start sending his own communications using my session id? He wouldn't even seem to need to know by password/username to ghost me as long as the id is valid.

Regards,

C.Arthur
 
Daniel Rhoades
Ranch Hand
Posts: 186
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Chris what you are talking about is session hijacking, and yes its possible. One way to help prevent this is to keep the channel encrypted after login
 
I agree. Here's the link: http://aspose.com/file-tools
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic