tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks
Date Mon, 23 Mar 2009 14:34:49 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255





--- Comment #8 from Dillon Sellars <dill.sellars@gmail.com>  2009-03-23 07:34:47 PST
---
It's worth mentioning that checking request.isRequestedSessionIdFromURL() won't
stop session fixation attacks. The first request to Tomcat where a session is
created will put the JSESSIONID in both the cookie and querystring. An attacker
can shoulder-surf and read the JSESSIONID from the URL and craft their own
JSESSIONID cookie.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message