tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "George Sexton" <gsex...@mhsoftware.com>
Subject RE: Session Expires At Every Request (Tomcat5.0.28/Firefox)
Date Thu, 16 Feb 2006 00:43:02 GMT
I've been developing with Tomcat for years, and I never really know about
this issue. 

I'd have to say that it must not be a widely known issue.

Perhaps since the security picture has changed over the past couple of years
its time to revisit this issue.

George Sexton
MH Software, Inc.
http://www.mhsoftware.com/
Voice: 303 438 9585
  

> -----Original Message-----
> From: Filip Hanik - Dev Lists [mailto:devlists@hanik.com] 
> Sent: Wednesday, February 15, 2006 2:24 PM
> To: Tomcat Users List
> Subject: Re: Session Expires At Every Request (Tomcat5.0.28/Firefox)
> 
> Adam and Mallory have to stop shopping! =)
> 
> this debate has been going on for years, you just caught onto 
> to it now, 
> and I was in it last time, don't plan on participating again. 
> Have fun 
> with it though!!
> 
> Filip
> 
> 
> George Sexton wrote:
> > An even simpler case:
> >
> > Adam visits a banking site. On entering the site he gets a cookie. 
> >
> >
> > Mallory snoops the session ID on the data stream.
> >
> > Adam then authenticates to read his account information. 
> The application
> > sets a session attribute (say a bean with the account name 
> and number) on
> > the session.
> >
> >
> > Mallory now enters the secure area of the banking site 
> using the forged
> > session ID. 
> >
> > Poof. Mallory is logged in as Adam.
> >
> > Poof. Adam is had and his data is there to be stolen, or 
> wire transferred to
> > another account.
> >
> >
> >
> > George Sexton
> > MH Software, Inc.
> > http://www.mhsoftware.com/
> > Voice: 303 438 9585
> >   
> >


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message