tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Decker <>
Subject Re: Tomcat 5.5 / Apache 2 / Join (Tomcat-) Session with SSL-Session / Which mod should be used?
Date Fri, 19 May 2006 15:13:56 GMT

>> Why I want that? If you've an application with session. So you can get
>> the application information by spying (XSS, browser plugin etc.) or
>> copying (URL with session ID).
>> Because of that the idea was to join SSL session id and application
>> session id, you can avoid that.
> Understood on what you are trying to do now.  Maybe:
> and :
> [...]
> Before all HttpSession object usage you want to validate it, maybe a
> Servlet Filter would be a good way to handle this.

Thanks... That would be my way...

>> I'm not sure if I completely understand you: The SSL session (ID) can
>> change between two requests?
> HTTP is a stateless protocol.  So from a pure HTTP perspective, yes sure
> the ID can change between requests.  In practice with featurefull
> browsers and a normal usage pattern linking them is probably safe you'll
> have to test with your userbase to be sure.

Oh now I understand what you want say... Yes of cause HTTP is stateless.
That was the reason of creating session handled with cookies, URL
parameters, referrers etc.

You was a great help.

Thanks a lot!
Michael Decker            
TESIS SYSware GmbH            
Baierbrunnerstr. 15 * 81379 Muenchen * Tel. +49 89 747377-0

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message