• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

can i steal a session id

 
Ali Khalfan
Ranch Hand
Posts: 129
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
ok i'm asking this question out of paranoia

a session is identified by a session id set either a cookie or is included in the url if the browser doesn't accept cookies.

This session is not encrypted is it? what's to stop someone from viewing the session id and then using it themselves.

so if i go to a checkout cart of a web site someoen could get my session id and access the same checkout cart; and then buy more stuff

is this possible?

how's it prevented?
 
Marc Peabody
pie sneak
Sheriff
Posts: 4727
Mac Ruby VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
That's why things that need to be secure use SSL over HTTP, aka HTTPS. Otherwise, yeah, all I'd need to do is get your JSESSIONID and "steal" your session!
 
Ali Khalfan
Ranch Hand
Posts: 129
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
that's not good to know....i know of a site that implements struts without using ssl (it even handles bill payments)

but i've seen some forums implemented in jsp they only use https to validate the user for login, all other requests are done in the clear.

what security is guaranteed here?
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic