tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From curunir <s...@synth.org>
Subject Re: Turning off jsessionid
Date Wed, 12 Dec 2007 06:33:49 GMT

Since you were curious why someone would want to disable URL rewriting, I can
tell you why we had to do this.

For our client, it was taken for a given that users would be frequently
copying/pasting URLs in emails and IMs to other users. It's not a necessary
part of our application, but we all know the vast majority of computer users
are basically clueless when it comes to security and simply won't consider
the security implications of their actions. If you enable URL rewriting, it
makes it possible for someone visiting a URL sent to them in an email/IM to
be logged in as the user who was originally passed the URL. Additionally,
the users of the application frequently take screenshots when submitting
bugs and those screenshots would, in many cases, also include the session
id.

In our application, where real money is at stake, this kind of risk is
unacceptable. I'd go as far as to say that URL rewriting is fundamentally
insecure for this reason and should be turned off whenever it's possible
that URLs would be exposed in either of these two manners (provided your
application requires a decent level of security).



Christopher Schultz-2 wrote:
> 
> ...
> 
> I'm not sure why you'd ever want to do this, though. I'd love to hear
> your reason for doing it, though.
> 
> ...
> 
-- 
View this message in context: http://www.nabble.com/Turning-off-jsessionid-tp13430750p14289776.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message