Jan,
Thanks, make sense.
I did/do use/enable cookies in my browser ("only from originating
site"), so I'm puzzled as to why/when opensolaris.org put jsessionid
in the URL. Some kind of bug. I don't remember which page garnered
the jsessionid add-on.
If I understand correctly, there is "basic security" here: don't
needlessly expose jsessionid in the URL, and the preferred "over the
wire security": prevent any snooping via https/SSL.
Lloyd
On Jul 25, 2008, at 5:43 PM, Jan.Luehe_at_Sun.COM wrote:
> Lloyd Chambers wrote:
>
>> I had sent the email below earlier today. Note that it includes
>> jsessionid encoded in the URL.
>>
>> Now in this case, there is nothing particularly sensitive about
>> opensolaris.org.
>>
>> But what are the security ramifications of a web site including
>> jsessionid in the URL itself like this? Would this allow someone
>> to hijack the session if the URL could be observed (or simply
>> emailed as I've done).
>
>
> Yes, that would be a problem.
>
> If you want to protect your JSESSIONID, use cookies and HTTPS. When a
> session is first created from an HTTPS request, and cookies are
> enabled, the JSESSIONID will be returned in a cookie that is marked as
> "secure", causing the browser to never include this cookie with any
> HTTP,
> but only with HTTPS requests.
>
>
> Jan
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
>