tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Oxley <>
Subject HttpSession across virtual hosts
Date Thu, 08 Feb 2001 10:38:08 GMT
Hi all,

I know that the HttpSession is only valid on the virtual host it was created
on. This is more of a security question. We currently have our own session
class that gets stored in an HttpSession 1:1 ratio. So we've coded a request
that allows us to GetSessionID on the original host and then AttachSession
on the new host. Which basically does a lookup of the session id in a static
hashtable to find one of our sessions and then attaches it to the new
HttpSession. This is used when switching from a non-secure to and from
secure host. My question is while the user name and password goes to the
secure host the session id will be sent on the unsecure host in the
AttachSession request:

1. Can this be intercepted by a hacker and used as if they had logged on?
2. If I save the remote ip address and check it during the AttachSession, is
that secure enough or can some hacker pretend to be the same ip address?
3. I am right in assuming there is no way of making an HttpSession valid
across virtual hosts (Make my life a lot easier)?
4. How can I keep the HttpSession on the original host valid? Or is it
easier to do an AttachSession every time the host is switched?



View raw message