This week's book giveaway is in the Jobs Discussion forum.
We're giving away four copies of Java Interview Guide and have Anthony DePalma on-line!
See this thread for details.
The moose likes Servlets and the fly likes Security hasard? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Java Interview Guide this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Security hasard?" Watch "Security hasard?" New topic

Security hasard?

Christopher Arthur
Ranch Hand

Joined: Mar 09, 2004
Posts: 149
I have noticed that a lot of web servers with user accounts handle security by using https for the login page, but after successful login, all communication is handled via just http. Is this a security hasard?

Suppose someone is listening in (is this even possible) on my computer and I login to some service which uses https, so I can feel confident that my username and password are secure. The server issues me a session id and then reverts to http for subsequent communications? So since the session id is being passed unencrypted, can't the listener figure out what it is and start sending his own communications using my session id? He wouldn't even seem to need to know by password/username to ghost me as long as the id is valid.


Daniel Rhoades
Ranch Hand

Joined: Jun 30, 2004
Posts: 186
Chris what you are talking about is session hijacking, and yes its possible. One way to help prevent this is to keep the channel encrypted after login

Drinking more tea is the key...
I agree. Here's the link:
subject: Security hasard?
It's not a secret anymore!