tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 40222] - Default Tomcat configuration alows easy session hijacking
Date Fri, 12 Jan 2007 12:33:45 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40222>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=40222





------- Additional Comments From remm@apache.org  2007-01-12 04:33 -------
The session id as defined by the specification can be used by the user for a
variety of things, or can be pretty much set in stone due to other factors
(session clustering, persistent storage). So I'd suggest calming down and
relaxing, because this is not going to be fixed.

The proprietary solution (which could be enabled using a valve) is to expire the
session and create a new one with a different session id, and as a convenience,
Tomcat could copy over some of the session data. Feel free to submit such a
valve if you'd like to.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message