Apache Tomcat has the ability to use the TLS Session ID instead of a session cookie or JSESSIONID in the querystring. My site is HTTPS Everywhere.
This seems useful in that I don't have to worry about session cookie theft, and can use sessions for user agents that don't do cookies.
Am I immune to Session Hijacking / Session Fixation here?
Any other issues to be concerned about?
Aucun commentaire:
Enregistrer un commentaire