DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12904>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12904 Session hijaking - see script's comment [EMAIL PROTECTED] changed: What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution| |INVALID ------- Additional Comments From [EMAIL PROTECTED] 2002-12-01 23:46 ------- If I am correct, you are worried that someone may be sniffing the wire and steal the sesion id. This is a feature of the spec. To prevent this attack - use SSL. There is nothing in the spec which dicates how the session id should be created (AFAIK) so locking the sessionid to the requester's ip address could cause weird results. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
