2012/9/30 Konstantin Kolinko :
> 2012/9/28 Christopher Schultz :
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> Konstantin,
>>
>> On 9/28/12 10:27 AM, Konstantin Kolinko wrote:
>>> 2012/9/28 Joan Morales :
Hi,
I have a security issue (hijack session) with JSESSIONID cookie
2012/9/28 Christopher Schultz :
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Konstantin,
>
> On 9/28/12 10:27 AM, Konstantin Kolinko wrote:
>> 2012/9/28 Joan Morales :
>>> Hi,
>>>
>>> I have a security issue (hijack session) with JSESSIONID cookie,
>>>
>>> here is the problem:
>>>
>>> I am
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Joan,
On 9/28/12 1:27 PM, Joan Morales wrote:
> I already try with AJP, but I cant get rid of the JSESSIONID cookie
> either
Can you please describe your configuration for that scenario again?
Your original description was a bit hard to follow.
- -c
Hi Cris,
I already try with AJP, but I cant get rid of the JSESSIONID cookie either
Regards,
--
Joan Morales
El 28/09/2012, a las 19:11, Christopher Schultz
escribió:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Konstantin,
>
> On 9/28/12 10:27 AM, Konstantin Kolinko wrote:
>> 2012
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Konstantin,
On 9/28/12 10:27 AM, Konstantin Kolinko wrote:
> 2012/9/28 Joan Morales :
>> Hi,
>>
>> I have a security issue (hijack session) with JSESSIONID cookie,
>>
>> here is the problem:
>>
>> I am using an architecture with an Apache2 server i
Hi Joan,
"cookie", from my understanding, uses the
SSL session-ID as the cookie-value in the Tomcat container. This value
will be different from what Apache assigns on the front-end SSL connection
to the browser (as Konstantin pointed out). With tracking-mode COOKIE, I
believe, a JSESSIONID cook
I put the
SSL because I thought It was necessary to handle
the SSL on TC, anyways I'll change It to COOKIE and see what happens.
Another couple of ideas were to use a Valve for SSL on TC or enable the
mod_header on Apache, but any idea on how this would help?
Thanks,
Joan
--
Joan Morales
Hi Joan,
What happens when you change the web.xml settings to:
--web.xml:
30
COOKIE
--
Thanks.
-Shanti
On Fri, Sep 28, 2012 at 10:58 AM, Konstantin Kolinko wrote:
> 2012/9/28 Martin Gainty :
> >
> > that is NOT what
2012/9/28 Martin Gainty :
>
> that is NOT what the op asked for
>
> if the OP is implementing ssl via her FE Apache then she needs to implement
> and config mod-ssl on that FE apache server
>
> You need to Understand what the op environment is before criticising the
> solution
> Martin
The OP as
Informationen und entfaltet keine rechtliche Bindungswirkung.
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung
fuer den Inhalt uebernehmen.
> Date: Fri, 28 Sep 2012 20:52:14 +0800
> Subject: RE: Security issue regarding JSESSIONID cookie
> From: malibo8...@gmail
2012/9/28 Joan Morales :
> Hi,
>
> I have a security issue (hijack session) with JSESSIONID cookie,
>
> here is the problem:
>
> I am using an architecture with an Apache2 server in front of Tomcat, I
> have configured the SSL in both sides Apache(ssl_module) and
> Tomcat(Conectors JSSE),
>
> 1)
ents
> > >
> > > with regards to external hosts i would suggest you deny all and allow
> > > secure access to only TC host to the secure folder of apache
> > >
> > > Buena Suerte,
> > > Martin
> > > _________
> secure access to only TC host to the secure folder of apache
> >
> > Buena Suerte,
> > Martin
> > __
> > Porfavor..no altere ni interrumptir esta communicacion..Gracias
> >
> >
> > > From: joan@gmail.com
> > >
favor..no altere ni interrumptir esta communicacion..Gracias
>
>
> > From: joan@gmail.com
> > Date: Fri, 28 Sep 2012 13:20:05 +0200
> > Subject: Security issue regarding JSESSIONID cookie
> > To: users@tomcat.apache.org
> >
> > Hi,
> >
> > I
pache
Buena Suerte,
Martin
__
Porfavor..no altere ni interrumptir esta communicacion..Gracias
> From: joan@gmail.com
> Date: Fri, 28 Sep 2012 13:20:05 +0200
> Subject: Security issue regarding JSESSIONID cookie
> To: users@tomcat.a
15 matches
Mail list logo
