I have noticed that a lot of web servers with user accounts handle security by using https for the login page, but after successful login, all communication is handled via just http. Is this a security hasard?
Suppose someone is listening in (is this even possible) on my computer and I login to some service which uses https, so I can feel confident that my username and password are secure. The server issues me a session id and then reverts to http for subsequent communications? So since the session id is being passed unencrypted, can't the listener figure out what it is and start sending his own communications using my session id? He wouldn't even seem to need to know by password/username to ghost me as long as the id is valid.
posted 10 years ago
Chris what you are talking about is session hijacking, and yes its possible. One way to help prevent this is to keep the channel encrypted after login