tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Darryl Miles <>
Subject Re: Session hijacking with Tomcat/Myfaces - unable to fix it
Date Thu, 10 Aug 2006 13:09:05 GMT

Well HTTP Cookies have a solution to this problem.  They have a "Secure" 
keyword in the Set-Cookie line.  This stops the client leaking the 
cookie outside of a secure channel.

The problem is I dont think Tomcat keeps track and flags if a session 
has been exposed via a non-secure channel or not.  If it did then thats 
all a web-app filter needs to take action and invalidate the session 
itself and pickup a new one (possibly transferring from old HttpSession 
to new HttpSession any useful non-security related attributes in the 


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message