tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Hughes <m...@bookpool.com>
Subject Re: Tomcat5 and url tracking hijacking
Date Tue, 27 Jan 2004 16:30:32 GMT
I don't see how https would help. Someone posting a url to a newsgroup 
along the lines of either of these

https://somesite/jsessionid=94823904823908432098
http://somesite/jsessionid=94823904823908432098
would still hijack the session, no?  Could you elaborate on how ssl 
would help? 

Cookie hijacking is far less likely since a user is very unlikely to 
post their cookie data somewhere.  An attacker would have to guess the 
sessionID.  The sessionID is securely generated so it can't easily be 
predicted before hand (right?). 

I'm sure preventing multiple people from using the same session ID if 
the url is emailed or posted is something lots of people would like to 
prevent.  I would assume there are good ways of handling it and I'd 
rather not reinvent the wheel.  Are there any best-practices or design 
patterns to guide someone?  Maybe restricting url tracking people to a 
certain ip range, or within a certain tolerance of other info they send 
back (browser, some other signature, etc.)?

Thanks,
-Marc


Subject:
Re: Tomcat5 and url tracking hijacking
From:
Tim Funk <funkman@joedog.org>
Date:
Tue, 27 Jan 2004 09:41:27 -0500

To:
Tomcat Users List <tomcat-user@jakarta.apache.org>

yeah - you'd get that users session. Same problem with cookie hijacking.

Use https.

There is nothing defined by the spec to prevent this. (Except https)

-Tim

Marc Hughes wrote:

> Does tomcat 5 use some kind of mechanism to prevent session hijacking 
> when url session tracking is being used?  For instance, if someone 
> posts a url to a website with the tracking info in it, will anyone 
> clicking on that link pick up the original user's session (assuming it 
> didn't time out yet)?  If it does prevent this, how?
>
> If anyone knows of any articles about keeping sessions safe, I'd love 
> to get pointed to those.
>






---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message