tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 10419] - Session-ID grabbing from Request accepts invalid session cookies in presense of valid URL sessions
Date Sun, 08 Feb 2004 15:38:33 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10419>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10419

Session-ID grabbing from Request accepts invalid session cookies in presense of valid URL
sessions





------- Additional Comments From H.Zeller@acm.org  2004-02-08 15:38 -------
I agree, that when we can use cookies, session IDs from cookies should be 
preferred. Preferring URL rewritten session IDs over cookies has only be a 
potential point of discussion (see first comment). 
 
But IMHO if all session IDs read from cookies are bogus and the session ID 
from the URL is a valid one, then tomcat should go for the valid one. 
 
So its not a matter of 'use cookies' or 'use URL-rewriting' but 'use a valid 
session id gotten from the client while valid session cookies override session 
IDs from the URL'. If you do the check as pointed out in your message from  
2004-02-08 10:43, this is almost it as I understand it.. 
..If you do not override a valid session ID with an invalid one from a cookie. 
  
"Be lenient with what you consume, be pedantic and accurate with what you 
create."  -- Jon Postel

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message