tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shapira, Yoav" <>
Subject RE: Tomcat5 and url tracking hijacking
Date Tue, 27 Jan 2004 14:39:56 GMT

Part of the session creation involves information about the user
environment, such as his/her IP address and browser.  Someone would have
to read the bulleting board and contact the server from the same IP
address as the original user before the session expires.  But anyways,
the session creation code like all of tomcat is open-source, so you can
take a look and tell us if you find any vulnerabilities ;)

Yoav Shapira
Millennium ChemInformatics

>-----Original Message-----
>From: Marc Hughes []
>Sent: Tuesday, January 27, 2004 9:35 AM
>Subject: Tomcat5 and url tracking hijacking
>Does tomcat 5 use some kind of mechanism to prevent session hijacking
>when url session tracking is being used?  For instance, if someone
>a url to a website with the tracking info in it, will anyone clicking
>that link pick up the original user's session (assuming it didn't time
>out yet)?  If it does prevent this, how?
>If anyone knows of any articles about keeping sessions safe, I'd love
>get pointed to those.
>To unsubscribe, e-mail:
>For additional commands, e-mail:

This e-mail, including any attachments, is a confidential business communication, and may
contain information that is confidential, proprietary and/or privileged.  This e-mail is intended
only for the individual(s) to whom it is addressed, and may not be saved, copied, printed,
disclosed or used by anyone else.  If you are not the(an) intended recipient, please immediately
delete this e-mail from your computer system and notify the sender.  Thank you.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message