tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ralph Einfeldt" <>
Subject RE: Tomcat5 and url tracking hijacking
Date Tue, 27 Jan 2004 16:41:57 GMT
You didn't mention the context.

HTTPS just would help to avoid the spoofing of the id
with a network sniffer. If you publish the session id 
to somebody that's a different thing.

Restricting the session to an IP is not a good idea at all.
I don't think that you will find 'best practice' or 'How to'
for this.

> -----Original Message-----
> From: Marc Hughes []
> Sent: Tuesday, January 27, 2004 5:31 PM
> To:
> Subject: Re: Tomcat5 and url tracking hijacking
> I don't see how https would help. Someone posting a url to a 
> newsgroup along the lines of either of these
> https://somesite/jsessionid=94823904823908432098
> http://somesite/jsessionid=94823904823908432098
> would still hijack the session, no?  Could you elaborate on how ssl 
> would help? 
> Cookie hijacking is far less likely since a user is very unlikely to 
> post their cookie data somewhere.  An attacker would have to 
> guess the sessionID.  The sessionID is securely generated so it can't easily be 
> predicted before hand (right?). 
> I'm sure preventing multiple people from using the same session ID if 
> the url is emailed or posted is something lots of people 
> would like to 
> prevent. I would assume there are good ways of handling it and I'd 
> rather not reinvent the wheel.  Are there any best-practices or 
> design patterns to guide someone?  Maybe restricting url tracking 
> people to a certain ip range, or within a certain tolerance of other info 
> they send back (browser, some other signature, etc.)?

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message