durusmail: qp: How to get authenticated User on an unsecure page after a secure login?
How to get authenticated User on an unsecure page after a secure login?
2008-03-26
Tristan Short
How to get authenticated User on an unsecure page after a secure login?
2008-03-27
Binger David
2008-03-27
mario ruggier
2008-03-27
Binger David
How to get authenticated User on an unsecure page after a secure login?
2008-03-27
Tristan Short
How to get authenticated User on an unsecure page after a secure login?
Binger David
2008-03-27
On Mar 27, 2008, at 7:55 AM, mario ruggier wrote:
> I believe there is little issue with transmitting the session id
> cookie in the clear -- even if this is eavesdropped, it should not
> be possible (at least not without a lot of other additional
> trickery) for another client to hijack any server-side session data
> (maybe David can confirm this?).

The remote ip address of the request is checked to make sure that it
agrees
with the one given at the time of authentication, but this is a very
weak
link.  An eavesdropper with your cookie should be considered as having
all of the power that the web application allows to the original
authenticated
user.
reply