tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks
Date Mon, 23 Mar 2009 14:34:49 GMT

--- Comment #8 from Dillon Sellars <>  2009-03-23 07:34:47 PST
It's worth mentioning that checking request.isRequestedSessionIdFromURL() won't
stop session fixation attacks. The first request to Tomcat where a session is
created will put the JSESSIONID in both the cookie and querystring. An attacker
can shoulder-surf and read the JSESSIONID from the URL and craft their own

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message