Wednesday, October 01, 2008

SESSION ID

TheRegister describes the potential problems with SESSION ID in web applications: if an attacker steals your SESSIONID, they have full access to your account. The solution is to use SSL and always send the cookie only over an SSL connection. There are several components in JSOS helping you in this case:

JSession filter - disables jsession id (cookie always)
Secure Redirector - forces HTTPS connections
Protected sessions - lets you map sessions to IP addresses (IP address must be the same during the session life time)

No comments: