tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Rossbach ...@objektpark.de>
Subject Re: Which JSESSIONID is evaluated first? The one from the Cookie or from the URL?
Date Mon, 24 Oct 2005 13:10:08 GMT
Hi,

I think the URL Session ID is interpreted first, but then the Cookie is 
parsed
and set. See o.a.c.connector.CoyoteAdaptor.postParseRequest.

First is sessionid set from URL (parseSessionId L. 249) and later set again
from cookie ( parseSessionCookiesId L. 324). You can simple test this 
with a simple jsp
that schon the sessionid and later send the request again with 
;jsessionid=123123as ... :-)

Peter

Leon Rosenberg schrieb:

>Hi,
>
>Sorry for being too lazy for looking into the source code, but I
>thought, that for people of knowledge it would be 10 sec to give me
>the right answer :-)
>
>There is an interesting issue of high-jacking a session on a .net
>application (surely founded in bad programming rather than the
>framework) but I'd be interested if such a thing is possible with
>tomcat too.
>
>For german-speaking people :
>http://www.goodguy.de/Sicherheitsluecke_Neu_de/
>
>For all the others, is it possible to overwrite the tomcat issued
>session (cookie session) by attaching a different session in the url?
>
>regards
>Leon
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>
>  
>




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message