tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Smith <d...@cornell.edu>
Subject Re: Cookie-less session tracking - whats are the downsides
Date Thu, 17 Apr 2008 12:23:57 GMT
The "man in the middle" attack you describe below is one possible 
issue.  However it's easy to capture cookies and provide those in an 
attack.  An effective hacker is going to be able to look exactly like 
the client on an unencrypted connection.  URL encoded sessonIds can 
cause headaches if you a proxy in the middle strip off the sessionIds on 
the way through or if the search bots suck up URLs with sessonIds.   If 
your app can effectively handle those cases, I don't see a downside.

--David

mfs wrote:

>Guys,
>
>I would want to know the downsides to using cookie-less sessions ? I want to
>give my client the freedom to disable cookies on the browser if he chooses
>to, but i would want to know the implications to that ?
>
>Some say, exposing your sessionId in the url exposes it to hackers who can
>spoof the IP (as of the victim) and provide the jsessionId (in the url) and
>can gain control of the victim's session, but if u are using ssl, that
>shouldnt be an issue.
>
>Would someone comment on the real hazards/bottlenecks to the cookie-less
>approach.
>
>Thanks in advance and Regards,
>
>Farhan.
>
>
>  
>


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message