tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kief Morris <>
Subject Re: HttpSession across virtual hosts
Date Thu, 08 Feb 2001 12:14:42 GMT
David Oxley typed the following on 10:38 AM 2/8/2001 +0000
>I know that the HttpSession is only valid on the virtual host it was created
>on. This is more of a security question. We currently have our own session
>class that gets stored in an HttpSession 1:1 ratio. So we've coded a request
>that allows us to GetSessionID on the original host and then AttachSession
>on the new host. Which basically does a lookup of the session id in a static
>hashtable to find one of our sessions and then attaches it to the new

I sort-of understand what you're doing, but I'm not clear on a couple of details.
What do you mean when you say you've "coded a request"? How exactly is
the session ID passed from the original host to the new host, is this by a
form field embedded into the HTML, or is it all on the server side?

> This is used when switching from a non-secure to and from
>secure host. My question is while the user name and password goes to the
>secure host the session id will be sent on the unsecure host in the
>AttachSession request:
>1. Can this be intercepted by a hacker and used as if they had logged on?

If an attacker is snooping a non-SSL connection, they can see the session ID 
and potentially horn in on the non-SSL session. I haven't heard of any tools to 
exploit this, but then I haven't really looked.

>2. If I save the remote ip address and check it during the AttachSession, is
>that secure enough or can some hacker pretend to be the same ip address?

It depends on what "secure enough" means for your organization. It is 
possible to spoof an IP address, but it doesn't hurt to add an extra obstacle
for crackers. The only drawback I can think of to doing this is that some legitimate 
users may be behind weird ISP proxies which give different IP addresses on 
different requests. But I don't know how many users do use such systems,
it may be a small enough number to be acceptable to your needs.

>3. I am right in assuming there is no way of making an HttpSession valid
>across virtual hosts (Make my life a lot easier)?

Yes you are right: you can't. If your virtual servers are under a common
domain (,, etc.) you can use your own cookie to 
index your "session" data object, basically implementing your own session
system. But it sounds like you're doing that, or something similar, already.

>4. How can I keep the HttpSession on the original host valid? Or is it
>easier to do an AttachSession every time the host is switched?

I'm not sure the problem here: if the user returns to the original
host before their session expires, their session should still be valid.


View raw message