tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Paul Roberts" <>
Subject RE: Tomcat IP and Session ID's
Date Fri, 24 Feb 2006 14:23:18 GMT
Thank you.
I was wondering, over and above encrypting the communications channel how 
does HTTPS help to prevent session ID hijacking?


Paul Roberts.

>From: "Peter Crowther" <>
>Reply-To: "Tomcat Users List" <>
>To: "Tomcat Users List" <>
>Subject: RE: Tomcat IP and Session ID's
>Date: Fri, 24 Feb 2006 11:51:44 -0000
> > From: Paul Roberts []
> > I have a question regarding IP address and session ID's.
> >
> > If a user on IP Address 1 connects to the Tomcat server and is given
> > session ID A, what happens if that session ID is hijacked by
> > someone on
> > IP address 2 and then used for a further request. How would the
> > different version of Tomcat react to this, if at all.
> > Specifically does
> > Tomcat hold a relationship between IP address and session ID which is
> > checked on each subsequent request.
>No.  In fact, Tomcat should not do so - some users access Web servers
>via a farm of proxy servers, and different servers in the farm (with
>different IP addresses) might make different requests for the same user,
>even when that user is loading (say) images on a single page.
>If you want to prevent hijacking of session IDs, the session must be
>over HTTPS, not HTTP.
>		- Peter
>To unsubscribe, e-mail:
>For additional commands, e-mail:

Are you using the latest version of MSN Messenger? Download MSN Messenger 
7.5 today!

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message