Hi,
I think the URL Session ID is interpreted first, but then the Cookie is
parsed
and set. See o.a.c.connector.CoyoteAdaptor.postParseRequest.
First is sessionid set from URL (parseSessionId L. 249) and later set again
from cookie ( parseSessionCookiesId L. 324). You can simple test this
with a simple jsp
that schon the sessionid and later send the request again with
;jsessionid=123123as ... :-)
Peter
Leon Rosenberg schrieb:
Hi,
Sorry for being too lazy for looking into the source code, but I
thought, that for people of knowledge it would be 10 sec to give me
the right answer :-)
There is an interesting issue of high-jacking a session on a .net
application (surely founded in bad programming rather than the
framework) but I'd be interested if such a thing is possible with
tomcat too.
For german-speaking people :
http://www.goodguy.de/Sicherheitsluecke_Neu_de/
For all the others, is it possible to overwrite the tomcat issued
session (cookie session) by attaching a different session in the url?
regards
Leon
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
