tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bojan Smojver <>
Subject Re: SSL session attribute
Date Thu, 01 Nov 2001 11:35:06 GMT
Do you think that it would be smart and/or desirable to 'enforce' the 
check for all people that use sessions with SSL? In other words, if you 
have a TC session, and you're running things over SSL, we enforce the TC 
session ID and SSL session ID match.

If there are security experts out there (Christopher?) that are willing 
to contribute, I'd really appreciate it.


GOMEZ Henri wrote:

>>Is the request attribute "javax.servlet.request.ssl_session" 
>>(in TC 3.3)
>>a 'standard' attribute that keeps the SSL session ID? Is there a spec
>>that defines it?
> No, it's not on the specs and even if you find this information
> on some servers (Apache + mod_ssl for example), there is 
> still some web server where it won't be available (IIS I think)
> and so couldn't be forwarded by mod_jk ....
>>It seems like an extremely important part of keeping the users from
>>bumping into each others TC session 'by accident' (or should I say by
> Yes it's something you could use to verify that nobody is hacking 
> your sessionid, but I feel that any serious webapp application
> must run under SSL ....
> --
> To unsubscribe, e-mail:   <>
> For additional commands, e-mail: <>

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message