tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tim Lucia" <>
Subject RE: Tomcat IP and Session ID's
Date Fri, 24 Feb 2006 14:46:36 GMT
By encrypting the entire conversation, including the cookies.  Remember that
SSL is wrapped around http, otherwise we could support multiple named
virtual hosts using SSL.

-----Original Message-----
From: Paul Roberts [] 
Sent: Friday, February 24, 2006 9:23 AM
Subject: RE: Tomcat IP and Session ID's

Thank you.
I was wondering, over and above encrypting the communications channel how
does HTTPS help to prevent session ID hijacking?


Paul Roberts.

>From: "Peter Crowther" <>
>Reply-To: "Tomcat Users List" <>
>To: "Tomcat Users List" <>
>Subject: RE: Tomcat IP and Session ID's
>Date: Fri, 24 Feb 2006 11:51:44 -0000
> > From: Paul Roberts []
> > I have a question regarding IP address and session ID's.
> >
> > If a user on IP Address 1 connects to the Tomcat server and is given 
> > session ID A, what happens if that session ID is hijacked by someone 
> > on IP address 2 and then used for a further request. How would the 
> > different version of Tomcat react to this, if at all.
> > Specifically does
> > Tomcat hold a relationship between IP address and session ID which 
> > is checked on each subsequent request.
>No.  In fact, Tomcat should not do so - some users access Web servers 
>via a farm of proxy servers, and different servers in the farm (with 
>different IP addresses) might make different requests for the same 
>user, even when that user is loading (say) images on a single page.
>If you want to prevent hijacking of session IDs, the session must be 
>over HTTPS, not HTTP.
>		- Peter
>To unsubscribe, e-mail:
>For additional commands, e-mail:

Are you using the latest version of MSN Messenger? Download MSN Messenger
7.5 today!

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message