://testweb/testpageaction.do;jsessionid=SD23SL4DE134ADFF565D
If I execute this same URL in another machine, then I am able to browse
my webapp, as if I was logged in. I expected the session to be invalid
for this request.
I've searched Google for jsessionid hijacking and found some ways to
a
> From: Zaki Akhmad [mailto:zakiakh...@gmail.com]
> 2009/3/13 zhaoxueqing :
>
> > jsessionid is the only way to indentity the user logined.
> > if you get it ,you are this user.
> > but? we can check others , for example IP!
Difficult, depending on your environment. Some ISPs run large proxy clus
Just a word about associating a given session to one IP address, it
works alright and sure is a security enhancement - not sure though if
there are built-in support for that in tomcat though it can be
implemented at application layer. The major drawback of doing so
depends of your user's ISP IPs ma
2009/3/13 zhaoxueqing :
> jsessionid is the only way to indentity the user logined.
> if you get it ,you are this user.
> but? we can check others , for example IP!
But we can *still* do IP spoofing. Any other better recomendation?
This issue is one of my concern also.
--
Zaki Akhmad
-
> From: Pieter Temmerman [mailto:ptemmerman@sadiel.es]
> I don't know. It just seemed way to easy to hijack a session, so I
> supposed it must be secure.
Large portions of the web architecture are insecure by their original design.
This makes security in web-based systems... erm.. "a challen
> > However, as the jsessionid URL rewriting is defined in the servlet
> > specification, I would expect this to be secure.
>
> Why, out of interest?
I don't know. It just seemed way to easy to hijack a session, so I
supposed it must be secure.
> It's completely normal. Other frameworks have ex
> From: Pieter Temmerman [mailto:ptemmerman@sadiel.es]
> However, as the jsessionid URL rewriting is defined in the servlet
> specification, I would expect this to be secure.
Why, out of interest?
> Therefor I was wondering whether the hijacking is caused by a
> misconfiguration of Tomcat, my
jsessionid is the only way to indentity the user logined.
if you get it ,you are this user.
but? we can check others , for example IP!
- Original Message -
From: "Pieter Temmerman"
To: "Tomcat Users List"
Sent: Friday, March 13, 2009 5:15 PM
Subject: JSESSIO
eaction.do;jsessionid=SD23SL4DE134ADFF565D
If I execute this same URL in another machine, then I am able to browse
my webapp, as if I was logged in. I expected the session to be invalid
for this request.
I've searched Google for jsessionid hijacking and found some ways to
avoid jsessionid to appear in
