The "man in the middle" attack you describe below is one possible
issue. However it's easy to capture cookies and provide those in an
attack. An effective hacker is going to be able to look exactly like
the client on an unencrypted connection. URL encoded sessonIds can
cause headaches if you a proxy in the middle strip off the sessionIds on
the way through or if the search bots suck up URLs with sessonIds. If
your app can effectively handle those cases, I don't see a downside.
--David
mfs wrote:
Guys,
I would want to know the downsides to using cookie-less sessions ? I want to
give my client the freedom to disable cookies on the browser if he chooses
to, but i would want to know the implications to that ?
Some say, exposing your sessionId in the url exposes it to hackers who can
spoof the IP (as of the victim) and provide the jsessionId (in the url) and
can gain control of the victim's session, but if u are using ssl, that
shouldnt be an issue.
Would someone comment on the real hazards/bottlenecks to the cookie-less
approach.
Thanks in advance and Regards,
Farhan.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
