Pieter Temmerman wrote:
Hi list.
I've got an issue which I would like to share with you guys.
My webapp requires a user to login, which on his turn creates a session
for that user.
Now, when I browse my webapp the address bar shows the current URL with
a JSESSIONID. Let's say:
http://testweb/t
> From: Zaki Akhmad [mailto:zakiakh...@gmail.com]
> 2009/3/13 zhaoxueqing :
>
> > jsessionid is the only way to indentity the user logined.
> > if you get it ,you are this user.
> > but? we can check others , for example IP!
Difficult, depending on your environment. Some ISPs run large proxy clus
Just a word about associating a given session to one IP address, it
works alright and sure is a security enhancement - not sure though if
there are built-in support for that in tomcat though it can be
implemented at application layer. The major drawback of doing so
depends of your user's ISP IPs ma
2009/3/13 zhaoxueqing :
> jsessionid is the only way to indentity the user logined.
> if you get it ,you are this user.
> but? we can check others , for example IP!
But we can *still* do IP spoofing. Any other better recomendation?
This issue is one of my concern also.
--
Zaki Akhmad
-
> From: Pieter Temmerman [mailto:ptemmerman@sadiel.es]
> I don't know. It just seemed way to easy to hijack a session, so I
> supposed it must be secure.
Large portions of the web architecture are insecure by their original design.
This makes security in web-based systems... erm.. "a challen
> > However, as the jsessionid URL rewriting is defined in the servlet
> > specification, I would expect this to be secure.
>
> Why, out of interest?
I don't know. It just seemed way to easy to hijack a session, so I
supposed it must be secure.
> It's completely normal. Other frameworks have ex
> From: Pieter Temmerman [mailto:ptemmerman@sadiel.es]
> However, as the jsessionid URL rewriting is defined in the servlet
> specification, I would expect this to be secure.
Why, out of interest?
> Therefor I was wondering whether the hijacking is caused by a
> misconfiguration of Tomcat, my
jsessionid is the only way to indentity the user logined.
if you get it ,you are this user.
but? we can check others , for example IP!
- Original Message -
From: "Pieter Temmerman"
To: "Tomcat Users List"
Sent: Friday, March 13, 2009 5:15 PM
Subject: JSESSIONID hijacking
> Hi list
