tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Caron <>
Subject session hijacking again
Date Fri, 26 Jan 2007 18:33:24 GMT

Our application is serving large amounts of scientific data over HTTP. The user needs to login
to access the data. We would like to use session ids to reduce the login overhead. We cant
afford the overhead of HTTPS encryption of teh data (3 times slower ?). We realize this makes
us vulnerable to session hijacking. Still, we arent transferring financial information, so
tentatively we think its a reasonable risk.

The Wikipedia article ( suggest a couple of
things that help, that seem reasonable to me:

# Some services make secondary checks against the identity of the user. For example, a web
server could check with each request made that the IP address of the user matched the one
last used during that session. This does not prevent attacks by somebody who shares the same
IP address, however, and could be frustrating for users who's IP address is liable to change
during a browsing session.

# Alternatively, some services will change the value of the cookie with each and every request.
This dramatically reduces the window in which an attacker can operate and makes it easy to
identify whether an attack has taken place, but can cause other technical problems (for example,
preventing the back button from working properly, on the web).

I would like to implement one or both of these in Tomcat: 1) IP checking and 2) session id
switching. I guess others have thought about this. Does anyone have any advice or pointers
(or code!) to get started.

Thanks for any help.

John Caron

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message