tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ralph Einfeldt" <ralph.einfe...@uptime-isc.de>
Subject RE: Tomcat5 and url tracking hijacking
Date Tue, 27 Jan 2004 14:51:40 GMT

There is not much tomcat can do about it.

The too simple solution is to stick the session to the ip.
But that doesn't work well.
- There are several users that can have different ip's in 
  the same session (dial in connection, dsl)
- on the other side there are several users that use the 
  same IP to access the server (they sit behind corporate 
  or even worse isp proxies).

If you want safe sessions you have to use https.

> -----Original Message-----
> From: Marc Hughes [mailto:marc@bookpool.com]
> Sent: Tuesday, January 27, 2004 3:35 PM
> To: tomcat-user@jakarta.apache.org
> Subject: Tomcat5 and url tracking hijacking
> 
> Does tomcat 5 use some kind of mechanism to prevent session hijacking 
> when url session tracking is being used?  For instance, if 
> someone posts 
> a url to a website with the tracking info in it, will anyone 
> clicking on that link pick up the original user's session (assuming it 
> didn't time out yet)?  If it does prevent this, how?
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message