tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Tabbed browsers sharing session - work around.
Date Mon, 04 Oct 2010 17:20:36 GMT
Hash: SHA1


On 10/4/2010 7:27 AM, Rob Gregory wrote:
> Using the hostname doesn't really guarantee a unique session for example
> if I click new tab and paste the URL into the new window I suspect the
> browser will see the same session from the first tab.

Note that you haven't changed the hostname in this case: you've just
cloned a browser window (or "tab" if you prefer to call it that).

> In our application
> the user can then change the environment with disastrous consequences
> when updating the database.

Sounds like you need to be pretty careful. Is it possible you've built a
fragile application?

> Did you implement anything to stop the
> session sharing at this level. What I did was to use the
> attribute to allow tracking of browser instances and compare this when
> doing the session timeout checking and this way I am able to redirect
> any further browser opens into new sessions. 

That's pretty fragile: relying on client-side javascript for anything
security-related is very foolish.

> With the exception of WEB-INF (which was due to tomcat no longer seeing
> that as a WEB-INF call because I have my unique-id in the path) do you
> see any security faults in what I am doing?

Many: disabling javascript on the client side will break your security.
An attacker overriding the javascript will break your security.

- -chris
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message