tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Blake Binkley" <mord...@aoj.net>
Subject RE: automated URL rewriting
Date Wed, 10 Jan 2001 19:22:21 GMT

I had something along the same lines, I have added  an object which stores
the users IP in the session

any answers on question #1?

Blake Binkley
667 Woodward St.
San Marcos, CA 92069
Home: (760) 744-9086
Cell: (760) 505-6591
E-Mail: mordron@aoj.net
ICQ: 752498
AIM: mordronlafey
MSIM: mordron
Yahoo: mordron


-----Original Message-----
From: rob@mx-out.daemonmail.net [mailto:rob@mx-out.daemonmail.net]On
Behalf Of Robert Wohleb
Sent: Tuesday, January 09, 2001 3:53 PM
To: tomcat-user@jakarta.apache.org
Subject: Re: automated URL rewriting


hmm....... lets see...
for question two, if you do a bitwise XOR of the IP and session ID you
can get a new ID.
Then when you want to "decrypt" the new ID, you can do a bitwise XOR of
the new ID with the accessing IP resulting in the origional sessionID.
If the IP is wrong, you get back a sessionID that is not the origional.
This is a simple method, but better than nothing.

~Rob

Blake Binkley wrote:
>
> I have searched all over the place and see alot about "URL rewriting" here
> is what I know:
>
> you can use
> <A href=<%= response.encodeURL("NewPage.jsp") %> >
> to force a single link to encode the session if cookies are turned off
>
> when cookies are turned off and the above method is used it is easy for a
> session to be loaned/stolen by  just copying the url and IM (Instant
> Messaging) to a friend who also has cookies turned off
>
> the above method of using rewriting is bulky and forces either designers
to
> learn some jsp code or the programmers  to replace every link on every
page
> with the above code.
>
> My Questions:
>
> is there no setting in server.xml that we can set to have all anchors and
> form actions ending in .jsp rewritten?
>
> perhaps to add an extra level of security can we not encrypt the
jsessionId
> with the value of Remote_IP so that it invalidates on a bad decryption?
>
> Blake Binkley
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, email: tomcat-user-help@jakarta.apache.org

--
_______________________________________

 Robert Wohleb
 Web Applications Development Manager
 Parafoil Software, Inc.
_______________________________________

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, email: tomcat-user-help@jakarta.apache.org


Mime
View raw message