tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lutz Zetzsche <Lutz.Zetzs...@sea-rescue.de>
Subject Re: Can a client recapture a session in Tomcat 4.1
Date Thu, 12 May 2005 15:15:36 GMT
Hi Sebastian,

Am Donnerstag, 12. Mai 2005 16:57 schrieb Millies, Sebastian:
> Can a client recapture his Tomcat session after he
> has accidentally closed the browser, provided that
> the session object still exists on the server?
>
> Would this be a browser-specific thing? After all,
> I guess I'd need to tell the browser to persist
> the session cookie or some such thing. Or would it
> work browser-independently using URL-rewriting?
>
> If there is such a mechanism, does it pose any
> security concerns (e. g. through Tomcat reusing
> a session-id for a totally different session?)
>
> We're on Tomcat 4.1. Would the answer be any
> different for Tomcat 5.0?
>
> Thanks for any enlightenment or additional
> pointers-.

From my point of view, you are already asking the right questions.

Firstly, if you would always maintain the session by using cookies and 
never by transporting the session id with the url, if you would 
furthermore set a persistent session cookie which would not be 
destroyed when the browser would be closed, and if last but not least 
the user would have made his browser settings accordingly - not 
deleting cookies when closing the browser -, then it would be possible 
to re-capture the Tomcat session as long as it would exist on the 
server.

As you can see, there are a lot if's.

Secondly, it would be a severe security hole in your application if you 
would set persistent session cookies. From the security point of view, 
the session cookie has to be destroyed when the browser is closed.

Imagine, a user does close the browser intentionally and not 
accidentally, and the next user can re-capture, rather hijack, his 
session just because the session cookie is persistent.

Draw the conclusion yourself, but a persistent session cookie to comfort 
the user when closing the browser accidentally results in a security 
hole which I would not allow in my web application. It cannot be in the 
interest of the user concerned that you cannot guarantee the privacy of 
his data after the browser has been closed due to persistent session 
cookies.


Best wishes

Lutz

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message