tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Darryl Miles <darryl-mailingli...@netbauds.net>
Subject Re: Session hijacking with Tomcat/Myfaces - unable to fix it
Date Fri, 11 Aug 2006 04:50:48 GMT
Maurice Yarrow wrote:
> Thanks for adding this thought.  As per my previous note on this
> subject, in light of your (relative) confidence in using IP,  maybe
> I  _should_ reconsider the getRemoteAddr() and simply use it as an
> addt'l advisory for making session auth decision on successive
> pages as they transit http/https.

Maybe the information in the "Via:" header should be taken into account 
as well.  getRemoteAddr() returns the IP address of the last proxy, 
there is nothing to stop the proxy route from changing between requests 
this is allowed.


Darryl

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message