Win a copy of The Way of the Web Tester: A Beginner's Guide to Automating Tests this week in the Testing forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

HTTPS, URL rewriting and web logs

David O'Meara
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Not really a specific question as such, but I wanted to see if anyone had any thoughts regarding the security of sessions when implemented by URL rewriting.
Usually sessions are supported using Cookies in the HTTP header, and they are secure when you move to HTTPS since this header info is encrypted.
If URL rewriting is implemented in HTTP, the session information will now be written to the weblog with both GET and POST requests.
As far as I can see, this will remain the same when moving to HTTPS: That is, URL rewriting will cause the session information to be written to logs.
While this may not be seen as a massive security breach, I'm not sure the clients would appreciate it. (or is there something related to HTTPS that I'm missing that will save us?)
Consider Paul's rocket mass heater.
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic