tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Decker <MDec...@tesis.de>
Subject Re: Tomcat 5.5 / Apache 2 / Join (Tomcat-) Session with SSL-Session / Which mod should be used?
Date Fri, 19 May 2006 15:13:56 GMT
	Hi!

>> Why I want that? If you've an application with session. So you can get
>> the application information by spying (XSS, browser plugin etc.) or
>> copying (URL with session ID).
>>
>> Because of that the idea was to join SSL session id and application
>> session id, you can avoid that.
> 
> Understood on what you are trying to do now.  Maybe:
> http://java.sun.com/products/servlet/2.1/api/javax.servlet.ServletRequest.html
> and :
> [...]
> Before all HttpSession object usage you want to validate it, maybe a
> Servlet Filter would be a good way to handle this.
> http://java.sun.com/products/servlet/Filters.html

Thanks... That would be my way...

>> I'm not sure if I completely understand you: The SSL session (ID) can
>> change between two requests?
> 
> HTTP is a stateless protocol.  So from a pure HTTP perspective, yes sure
> the ID can change between requests.  In practice with featurefull
> browsers and a normal usage pattern linking them is probably safe you'll
> have to test with your userbase to be sure.

Oh now I understand what you want say... Yes of cause HTTP is stateless.
That was the reason of creating session handled with cookies, URL
parameters, referrers etc.

You was a great help.

Thanks a lot!
	Michael
-- 
Michael Decker                      Michael.Decker@tesis.de
TESIS SYSware GmbH                      http://www.tesis.de
Baierbrunnerstr. 15 * 81379 Muenchen * Tel. +49 89 747377-0


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message