Return-Path: X-Original-To: apmail-struts-user-archive@www.apache.org Delivered-To: apmail-struts-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 6F5D49709 for ; Tue, 28 Feb 2012 09:59:07 +0000 (UTC) Received: (qmail 69879 invoked by uid 500); 28 Feb 2012 09:59:05 -0000 Delivered-To: apmail-struts-user-archive@struts.apache.org Received: (qmail 69816 invoked by uid 500); 28 Feb 2012 09:59:04 -0000 Mailing-List: contact user-help@struts.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Help: List-Post: List-Id: "Struts Users Mailing List" Reply-To: "Struts Users Mailing List" Delivered-To: mailing list user@struts.apache.org Received: (qmail 69806 invoked by uid 99); 28 Feb 2012 09:59:04 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 28 Feb 2012 09:59:04 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of lukasz.lenart@googlemail.com designates 209.85.210.176 as permitted sender) Received: from [209.85.210.176] (HELO mail-iy0-f176.google.com) (209.85.210.176) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 28 Feb 2012 09:59:00 +0000 Received: by iagw33 with SMTP id w33so2372280iag.35 for ; Tue, 28 Feb 2012 01:58:39 -0800 (PST) Received-SPF: pass (google.com: domain of lukasz.lenart@googlemail.com designates 10.42.132.2 as permitted sender) client-ip=10.42.132.2; Authentication-Results: mr.google.com; spf=pass (google.com: domain of lukasz.lenart@googlemail.com designates 10.42.132.2 as permitted sender) smtp.mail=lukasz.lenart@googlemail.com; dkim=pass header.i=lukasz.lenart@googlemail.com Received: from mr.google.com ([10.42.132.2]) by 10.42.132.2 with SMTP id b2mr5001042ict.11.1330423119638 (num_hops = 1); Tue, 28 Feb 2012 01:58:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:content-type:content-transfer-encoding; bh=OB5wCJ/kIKvkbl3egQ95O1091X91eRwtF5KERy5mIjM=; b=wYWdjlZJn6zVUj715ITmHckSdlTAw+NqV9Xj1KXbGELtwk5AdlpWbsLdF78OwC9hXw dVTo3/CSGBxExMsiNjTsgXR+7fBlMlteiLMa+FHAgCLgFNkDP4dShZZWBmW0SeLSbCu9 EYROjOAEzJfrSUPJnRvdii1ZLYTuK1PwQ9zao= MIME-Version: 1.0 Received: by 10.42.132.2 with SMTP id b2mr4039519ict.11.1330423119450; Tue, 28 Feb 2012 01:58:39 -0800 (PST) Received: by 10.42.73.193 with HTTP; Tue, 28 Feb 2012 01:58:39 -0800 (PST) Reply-To: lukasz.lenart@gmail.com In-Reply-To: <1330370309268-5519824.post@n5.nabble.com> References: <1329833391846-5502292.post@n5.nabble.com> <1330370309268-5519824.post@n5.nabble.com> Date: Tue, 28 Feb 2012 10:58:39 +0100 Message-ID: Subject: Re: Security Vulnerability When Using SessionAware and Best Practice For Mitigating It From: =?UTF-8?Q?=C5=81ukasz_Lenart?= To: Struts Users Mailing List Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Virus-Checked: Checked by ClamAV on apache.org I think we should simply implemented what was mentioned in WW-3631 to solve that potential vulnerability Kind regards --=20 =C5=81ukasz Mobile +48 606 323 122 Office +27 11 0838747 http://www.lenart.org.pl/ Warszawa JUG conference - Confitura http://confitura.pl/ --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscribe@struts.apache.org For additional commands, e-mail: user-help@struts.apache.org