Hi!
>> Why I want that? If you've an application with session. So you can get
>> the application information by spying (XSS, browser plugin etc.) or
>> copying (URL with session ID).
>>
>> Because of that the idea was to join SSL session id and application
>> session id, you can avoid that.
>
> Understood on what you are trying to do now. Maybe:
> http://java.sun.com/products/servlet/2.1/api/javax.servlet.ServletRequest.html
> and :
> [...]
> Before all HttpSession object usage you want to validate it, maybe a
> Servlet Filter would be a good way to handle this.
> http://java.sun.com/products/servlet/Filters.html
Thanks... That would be my way...
>> I'm not sure if I completely understand you: The SSL session (ID) can
>> change between two requests?
>
> HTTP is a stateless protocol. So from a pure HTTP perspective, yes sure
> the ID can change between requests. In practice with featurefull
> browsers and a normal usage pattern linking them is probably safe you'll
> have to test with your userbase to be sure.
Oh now I understand what you want say... Yes of cause HTTP is stateless.
That was the reason of creating session handled with cookies, URL
parameters, referrers etc.
You was a great help.
Thanks a lot!
Michael
--
Michael Decker [EMAIL PROTECTED]
TESIS SYSware GmbH http://www.tesis.de
Baierbrunnerstr. 15 * 81379 Muenchen * Tel. +49 89 747377-0
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
