tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 10419] - Session-ID grabbing from Request accepts invalid session cookies in presense of valid URL sessions
Date Sun, 08 Feb 2004 10:43:02 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10419>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10419

Session-ID grabbing from Request accepts invalid session cookies in presense of valid URL
sessions

remm@apache.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|REOPENED                    |RESOLVED
         Resolution|                            |WONTFIX



------- Additional Comments From remm@apache.org  2004-02-08 10:43 -------
Cookies will override URL session Ids. This is done on purpose and will ot be
fixed. Now, there was an issue where Tomcat would only consider the first
session id cookie. Now, if there are multiple ones, Tomcat will look until one
of them is valid (the first one should be, as per Craig comments, but I've added
more lenient code in the TC 5 CVS, since it doesn't hurt much). Please do not
reopen this report, it will not be fixed.

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message