tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: How to avoid session fixation?
Date Tue, 12 Feb 2008 14:11:07 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David,

david delbecq wrote:
| I would more be thinking about applications that plays with
| sessionlistener and maintain list of active session (to track number of
| users / who is logged in, etc). Like ip<->session id matching, a change
| id on the fly could also break at several levels and should be
| optional.

Agreed.

| Also, for example, of non-cookies enabled user, for which url
| previous to login would become useless (or at least would point to a
| non-existent session).

True, but I would think that anyone sufficiently concerned about this
particular issue would make arrangements for that possibility if they
were going to employ a session-switcher thing. This is a problem whether
you change the session id directly or change the session (and get a new id).

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkexqPsACgkQ9CaO5/Lv0PBxbwCfehX9F9KxPs8tK7gJCgh3ctww
nRYAn0Basg+wi6imjK5aFqjQE1f0BAOL
=85D4
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message