tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Peter Crowther" <Peter.Crowt...@melandra.com>
Subject RE: Tomcat IP and Session ID's
Date Fri, 24 Feb 2006 11:51:44 GMT
> From: Paul Roberts [mailto:planetvoodoo@hotmail.co.uk] 
> I have a question regarding IP address and session ID's.
> 
> If a user on IP Address 1 connects to the Tomcat server and is given
> session ID A, what happens if that session ID is hijacked by 
> someone on
> IP address 2 and then used for a further request. How would the
> different version of Tomcat react to this, if at all. 
> Specifically does
> Tomcat hold a relationship between IP address and session ID which is
> checked on each subsequent request.

No.  In fact, Tomcat should not do so - some users access Web servers
via a farm of proxy servers, and different servers in the farm (with
different IP addresses) might make different requests for the same user,
even when that user is loading (say) images on a single page.

If you want to prevent hijacking of session IDs, the session must be
over HTTPS, not HTTP.

		- Peter

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message