tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Tabbed browsers sharing session - work around.
Date Mon, 04 Oct 2010 17:20:36 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rob,

On 10/4/2010 7:27 AM, Rob Gregory wrote:
> Using the hostname doesn't really guarantee a unique session for example
> if I click new tab and paste the URL into the new window I suspect the
> browser will see the same session from the first tab.

Note that you haven't changed the hostname in this case: you've just
cloned a browser window (or "tab" if you prefer to call it that).

> In our application
> the user can then change the environment with disastrous consequences
> when updating the database.

Sounds like you need to be pretty careful. Is it possible you've built a
fragile application?

> Did you implement anything to stop the
> session sharing at this level. What I did was to use the window.name
> attribute to allow tracking of browser instances and compare this when
> doing the session timeout checking and this way I am able to redirect
> any further browser opens into new sessions. 

That's pretty fragile: relying on client-side javascript for anything
security-related is very foolish.

> With the exception of WEB-INF (which was due to tomcat no longer seeing
> that as a WEB-INF call because I have my unique-id in the path) do you
> see any security faults in what I am doing?

Many: disabling javascript on the client side will break your security.
An attacker overriding the javascript will break your security.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkyqDOQACgkQ9CaO5/Lv0PBbSACfVhscYMSd4q13ivnaz4k6LdeQ
ZmgAoKSUg6VkjFxyFr47j1260++fjhre
=ct/x
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message