If your only requirement is that you can pass parameter only via get, take into consideration that you can recovery the session content through the jsessionid get parameter.
>You should sha/md5 your password before sending it. This of course is >client side and you could do that with javascript. You could use this: > http://www.bichlmeier.info/sha256.html > Anyway, people might be able to snif this encrypted password and use > the encrypted version to login. I have been using a similar approach in an iPad application (where the client side provides something more than the simple javascript), in order to mitigate this kind of risk I chose to send a time based, salted hash, according with the challenge response authentication schema [1] I think this is a way to complicate your life, and you should do that only if it is strictly necessary (in my case the requirement was to remember the user authentication) [1] http://en.wikipedia.org/wiki/Challenge-response_authentication -- Maurizio Cucchiara --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
