tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Blake Binkley" <>
Subject RE: automated URL rewriting
Date Wed, 10 Jan 2001 19:22:21 GMT

I had something along the same lines, I have added  an object which stores
the users IP in the session

any answers on question #1?

Blake Binkley
667 Woodward St.
San Marcos, CA 92069
Home: (760) 744-9086
Cell: (760) 505-6591
ICQ: 752498
AIM: mordronlafey
MSIM: mordron
Yahoo: mordron

-----Original Message-----
From: []On
Behalf Of Robert Wohleb
Sent: Tuesday, January 09, 2001 3:53 PM
Subject: Re: automated URL rewriting

hmm....... lets see...
for question two, if you do a bitwise XOR of the IP and session ID you
can get a new ID.
Then when you want to "decrypt" the new ID, you can do a bitwise XOR of
the new ID with the accessing IP resulting in the origional sessionID.
If the IP is wrong, you get back a sessionID that is not the origional.
This is a simple method, but better than nothing.


Blake Binkley wrote:
> I have searched all over the place and see alot about "URL rewriting" here
> is what I know:
> you can use
> <A href=<%= response.encodeURL("NewPage.jsp") %> >
> to force a single link to encode the session if cookies are turned off
> when cookies are turned off and the above method is used it is easy for a
> session to be loaned/stolen by  just copying the url and IM (Instant
> Messaging) to a friend who also has cookies turned off
> the above method of using rewriting is bulky and forces either designers
> learn some jsp code or the programmers  to replace every link on every
> with the above code.
> My Questions:
> is there no setting in server.xml that we can set to have all anchors and
> form actions ending in .jsp rewritten?
> perhaps to add an extra level of security can we not encrypt the
> with the value of Remote_IP so that it invalidates on a bad decryption?
> Blake Binkley
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, email:


 Robert Wohleb
 Web Applications Development Manager
 Parafoil Software, Inc.

To unsubscribe, e-mail:
For additional commands, email:

View raw message