You didn't mention the context.
HTTPS just would help to avoid the spoofing of the id
with a network sniffer. If you publish the session id
to somebody that's a different thing.
Restricting the session to an IP is not a good idea at all.
I don't think that you will find 'best practice' or 'How to'
for this.
> -----Original Message-----
> From: Marc Hughes [mailto:marc@bookpool.com]
> Sent: Tuesday, January 27, 2004 5:31 PM
> To: tomcat-user@jakarta.apache.org
> Subject: Re: Tomcat5 and url tracking hijacking
>
>
> I don't see how https would help. Someone posting a url to a
> newsgroup along the lines of either of these
>
> https://somesite/jsessionid=94823904823908432098
> http://somesite/jsessionid=94823904823908432098
> would still hijack the session, no? Could you elaborate on how ssl
> would help?
>
> Cookie hijacking is far less likely since a user is very unlikely to
> post their cookie data somewhere. An attacker would have to
> guess the sessionID. The sessionID is securely generated so it can't easily be
> predicted before hand (right?).
>
> I'm sure preventing multiple people from using the same session ID if
> the url is emailed or posted is something lots of people
> would like to
> prevent. I would assume there are good ways of handling it and I'd
> rather not reinvent the wheel. Are there any best-practices or
> design patterns to guide someone? Maybe restricting url tracking
> people to a certain ip range, or within a certain tolerance of other info
> they send back (browser, some other signature, etc.)?
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
|