tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Hardy <>
Subject Re: session hijacking and tying session to IP address with filter
Date Tue, 28 Oct 2003 12:23:29 GMT
On 10/28/2003 12:06 PM Tim Funk wrote:
> I think they can and you'll break AOL users. AOL and other large 
> entities sometimes employ megaproxies where the user might appear to be 
> coming from different ip addresses.

OK I guess if I write a filter to reject requests where the IP address 
doesn't match the one in the session, then I can always make an 
exception for AOL browsers - assuming I can identify them from the 
browser user-agent or the IP address range.

As Christopher says I guess I can do security reviews at regular 
intervals to see if it's a problem.

> The guaranteed way to prevent session hijacking is by using ssl. (And 
> making sure your site is not victim to css attacks)

I can't see using SSL for whole session being acceptable - perhaps 
generally the public usage will go this way, but at the moment that 
would just be giving fuel to some web-site reviewer to criticise my site 
for being over-anal about security. Plus it actually would be anal - I 
don't need to protect from session hijacking so badly that I encrypt the 
whole lot.


struts 1.1 + tomcat 5.0.12 + java 1.4.2
Linux 2.4.20 RH9

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message