tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 12904] - Session hijaking - see script's comment
Date Sun, 01 Dec 2002 23:46:25 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12904>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12904

Session hijaking - see script's comment

funkman@joedog.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
         Resolution|                            |INVALID



------- Additional Comments From funkman@joedog.org  2002-12-01 23:46 -------
If I am correct, you are worried that someone may be sniffing the wire and steal
the sesion id. 

This is a feature of the spec. To prevent this attack - use SSL. There is
nothing in the spec which dicates how the session id should be created (AFAIK)
so locking the sessionid to the requester's ip address could cause weird results.

--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message