tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Darryl Miles <darryl-mailingli...@netbauds.net>
Subject Re: Session hijacking with Tomcat/Myfaces - unable to fix it
Date Thu, 10 Aug 2006 13:09:05 GMT

Well HTTP Cookies have a solution to this problem.  They have a "Secure" 
keyword in the Set-Cookie line.  This stops the client leaking the 
cookie outside of a secure channel.


The problem is I dont think Tomcat keeps track and flags if a session 
has been exposed via a non-secure channel or not.  If it did then thats 
all a web-app filter needs to take action and invalidate the session 
itself and pickup a new one (possibly transferring from old HttpSession 
to new HttpSession any useful non-security related attributes in the 
process).


Darryl

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message