tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Hughes <>
Subject Re: Tomcat5 and url tracking hijacking
Date Tue, 27 Jan 2004 16:30:32 GMT
I don't see how https would help. Someone posting a url to a newsgroup 
along the lines of either of these

would still hijack the session, no?  Could you elaborate on how ssl 
would help? 

Cookie hijacking is far less likely since a user is very unlikely to 
post their cookie data somewhere.  An attacker would have to guess the 
sessionID.  The sessionID is securely generated so it can't easily be 
predicted before hand (right?). 

I'm sure preventing multiple people from using the same session ID if 
the url is emailed or posted is something lots of people would like to 
prevent.  I would assume there are good ways of handling it and I'd 
rather not reinvent the wheel.  Are there any best-practices or design 
patterns to guide someone?  Maybe restricting url tracking people to a 
certain ip range, or within a certain tolerance of other info they send 
back (browser, some other signature, etc.)?


Re: Tomcat5 and url tracking hijacking
Tim Funk <>
Tue, 27 Jan 2004 09:41:27 -0500

Tomcat Users List <>

yeah - you'd get that users session. Same problem with cookie hijacking.

Use https.

There is nothing defined by the spec to prevent this. (Except https)


Marc Hughes wrote:

> Does tomcat 5 use some kind of mechanism to prevent session hijacking 
> when url session tracking is being used?  For instance, if someone 
> posts a url to a website with the tracking info in it, will anyone 
> clicking on that link pick up the original user's session (assuming it 
> didn't time out yet)?  If it does prevent this, how?
> If anyone knows of any articles about keeping sessions safe, I'd love 
> to get pointed to those.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message