tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tim Lucia" <timlu...@yahoo.com>
Subject RE: Tomcat IP and Session ID's
Date Fri, 24 Feb 2006 14:46:36 GMT
By encrypting the entire conversation, including the cookies.  Remember that
SSL is wrapped around http, otherwise we could support multiple named
virtual hosts using SSL.
 

-----Original Message-----
From: Paul Roberts [mailto:planetvoodoo@hotmail.co.uk] 
Sent: Friday, February 24, 2006 9:23 AM
To: users@tomcat.apache.org
Subject: RE: Tomcat IP and Session ID's

Thank you.
I was wondering, over and above encrypting the communications channel how
does HTTPS help to prevent session ID hijacking?

Regards

Paul Roberts.



>From: "Peter Crowther" <Peter.Crowther@melandra.com>
>Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
>To: "Tomcat Users List" <users@tomcat.apache.org>
>Subject: RE: Tomcat IP and Session ID's
>Date: Fri, 24 Feb 2006 11:51:44 -0000
>
> > From: Paul Roberts [mailto:planetvoodoo@hotmail.co.uk]
> > I have a question regarding IP address and session ID's.
> >
> > If a user on IP Address 1 connects to the Tomcat server and is given 
> > session ID A, what happens if that session ID is hijacked by someone 
> > on IP address 2 and then used for a further request. How would the 
> > different version of Tomcat react to this, if at all.
> > Specifically does
> > Tomcat hold a relationship between IP address and session ID which 
> > is checked on each subsequent request.
>
>No.  In fact, Tomcat should not do so - some users access Web servers 
>via a farm of proxy servers, and different servers in the farm (with 
>different IP addresses) might make different requests for the same 
>user, even when that user is loading (say) images on a single page.
>
>If you want to prevent hijacking of session IDs, the session must be 
>over HTTPS, not HTTP.
>
>		- Peter
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
>

_________________________________________________________________
Are you using the latest version of MSN Messenger? Download MSN Messenger
7.5 today! http://messenger.msn.co.uk


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message