tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Paul Roberts" <planetvoo...@hotmail.co.uk>
Subject RE: Tomcat IP and Session ID's
Date Fri, 24 Feb 2006 14:23:18 GMT
Thank you.
I was wondering, over and above encrypting the communications channel how 
does HTTPS help to prevent session ID hijacking?

Regards

Paul Roberts.



>From: "Peter Crowther" <Peter.Crowther@melandra.com>
>Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
>To: "Tomcat Users List" <users@tomcat.apache.org>
>Subject: RE: Tomcat IP and Session ID's
>Date: Fri, 24 Feb 2006 11:51:44 -0000
>
> > From: Paul Roberts [mailto:planetvoodoo@hotmail.co.uk]
> > I have a question regarding IP address and session ID's.
> >
> > If a user on IP Address 1 connects to the Tomcat server and is given
> > session ID A, what happens if that session ID is hijacked by
> > someone on
> > IP address 2 and then used for a further request. How would the
> > different version of Tomcat react to this, if at all.
> > Specifically does
> > Tomcat hold a relationship between IP address and session ID which is
> > checked on each subsequent request.
>
>No.  In fact, Tomcat should not do so - some users access Web servers
>via a farm of proxy servers, and different servers in the farm (with
>different IP addresses) might make different requests for the same user,
>even when that user is loading (say) images on a single page.
>
>If you want to prevent hijacking of session IDs, the session must be
>over HTTPS, not HTTP.
>
>		- Peter
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
>

_________________________________________________________________
Are you using the latest version of MSN Messenger? Download MSN Messenger 
7.5 today! http://messenger.msn.co.uk


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message