DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=40222>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40222 ------- Additional Comments From [EMAIL PROTECTED] 2007-01-12 00:37 ------- NO, the problem is that the SessionID, when switching from HTTP to HTTPS remains the same!!! I believe this is a serious security issue and should be dealt with. The attack scenario again: 1) A HTTP page assigns a SessionID 2) Man-in-the-Middle notices the SessionID 3) Upon switch to HTTPS, the SesssionID remains the same. After login to HTTPS secure area the man-in-the-middle is able access all HTTPS pages just using the SessionID obtained. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
