DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=22679>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=22679 how to access ssl session ID out of tomcat to prevent session hijacking ------- Additional Comments From [EMAIL PROTECTED] 2004-10-31 21:55 ------- It seems that Tomcat 3.3.x & 4.1.x work fine. With Tomcat 5 you need to access a standard attribute to trigger, and then it works fine: request.getAttribute("javax.servlet.request.key_size"); String sslID = (String)request.getAttribute ("javax.servlet.request.ssl_session"); It's true that TC 3.3 has a setting to deny access to the servlet session if the SSL session doesn't match. In TC >= 4, it is easy enough to do this type of check in a Filter. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
