[CLUE-Tech] LDAP
Jeffery Cann
fabian at jefferycann.com
Tue Jan 15 06:18:56 MST 2002
On Monday 14 January 2002 04:31 pm, Grant Johnson wrote:
> Session hijacking is a real concern on the web apps, and this system
> needs to be useable for network logons, windows fat client logons,
> databse logons, etc.
To avoid this, use SSL to login and make sure you encrypt the cookie payload.
This will avoid sniff attacks.
For the cookie, I would only store the session id with a time of -1 which
will force the cookie to remain in memory. This will avoid the cookie spoof
attack.
Also, storing a session id will allow you to more easily implement single
sign-on (SSO).
If you want more info on SSO, let me know and I can give you some links. It
just so happens that I am implementing a J2EE SSO prototype at work...
Jeff
More information about the clue-tech
mailing list