Well, if it's the spec I guess there's no much to argue. Maybe turn it into
an option, but I already got the feeling of the community. I won't insist as
this is my specific requirement and may not be of use to a wide range of the
community.
Mark, there could be a MIM attack but that's yet another
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Rafael,
On 6/21/2011 12:05 PM, Rafael Liu wrote:
> I agree it's kind of a philosophical question but I see some real
> implications. Anyway, for the record, as a quick and dirty fix I set the
> full URL with https schema in /form@action. But the hosti
On 21/06/2011 17:05, Rafael Liu wrote:
> Hey Chris,
>
> as you said, each problem compromise different kinds of things: account vs
> credentials. And I think they have different kind of consequences and can
> be, each one , dangerous its own way. I brought the discussion into the list
> because I
Hey Chris,
as you said, each problem compromise different kinds of things: account vs
credentials. And I think they have different kind of consequences and can
be, each one , dangerous its own way. I brought the discussion into the list
because I thought it was relevant.
Looking at the code, a fi
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Rafael,
On 6/20/2011 8:12 PM, Rafael Liu wrote:
> Good point Chuck. I agree with you, the webapp wouldn't be all secured. But
> there are 2 different things here:
>
> * the issue with the plain password
> * the issue with session hijacking
This does
From: Rafael Liu [mailto:rafael...@gmail.com]
> Sent: den 21 juni 2011 03:12
> To: Tomcat Users List
> Subject: RE: Setting SSL for login pages
>
> Good point Chuck. I agree with you, the webapp wouldn't be all secured.
> But there are 2 different things here:
>
> * th
cookie files under normal HTTP with the
Firesheep extension for Firefox.
Cheers,
André
-Original Message-
From: Rafael Liu [mailto:rafael...@gmail.com]
Sent: den 21 juni 2011 03:12
To: Tomcat Users List
Subject: RE: Setting SSL for login pages
Good point Chuck. I agree with you, the webapp
Good point Chuck. I agree with you, the webapp wouldn't be all secured. But
there are 2 different things here:
* the issue with the plain password
* the issue with session hijacking
The first one first gives the hacker a private information about the user
(which can even the used by the user some
> From: Rafael Liu [mailto:rafael...@gmail.com]
> Subject: Setting SSL for login pages
> I think it would be natural something like this:
>
>
> SSL login
> /login/*
>
>
> CONFIDENTIAL
>
>
The login pages are usually not specified in the ; only the pages
to be protecte
