-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Rob,
On 10/4/2010 7:27 AM, Rob Gregory wrote:
> Using the hostname doesn't really guarantee a unique session for example
> if I click new tab and paste the URL into the new window I suspect the
> browser will see the same session from the first tab.
Note that you haven't changed the hostname in this case: you've just
cloned a browser window (or "tab" if you prefer to call it that).
> In our application
> the user can then change the environment with disastrous consequences
> when updating the database.
Sounds like you need to be pretty careful. Is it possible you've built a
fragile application?
> Did you implement anything to stop the
> session sharing at this level. What I did was to use the window.name
> attribute to allow tracking of browser instances and compare this when
> doing the session timeout checking and this way I am able to redirect
> any further browser opens into new sessions.
That's pretty fragile: relying on client-side javascript for anything
security-related is very foolish.
> With the exception of WEB-INF (which was due to tomcat no longer seeing
> that as a WEB-INF call because I have my unique-id in the path) do you
> see any security faults in what I am doing?
Many: disabling javascript on the client side will break your security.
An attacker overriding the javascript will break your security.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkyqDOQACgkQ9CaO5/Lv0PBbSACfVhscYMSd4q13ivnaz4k6LdeQ
ZmgAoKSUg6VkjFxyFr47j1260++fjhre
=ct/x
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
|