Hi, am too lazy to check code too. Here is what i know from my experience using multipart/form-data form as first page of a user (assuming cookies session tracking are allowed in web app):
First time you enter a web page, a session id is created, along with the HttpSession object. As server does not yet know if cookies are supported by client, it - rewrite all urls with a ;JSESSIONID=....... - sends the cookie to browser At FIRST reply from client, the client sends url + cookie to tomcat then, tomcat does NOT take into account the cookie, it reads the URL (well technically i suppose it use the cookie, notice in session it is not yet confirmed supported by client and so fall back to url) After loading session from URL, it checks if there is a cookie with same id. If it is the case, then it flags session as cookie supported and do not url rewrite anymore. Next calls use cookies. Does url take precedence if also provided? Give it a try! My post is useless? I know that :) Leon Rosenberg a écrit : >Hi, > >Sorry for being too lazy for looking into the source code, but I >thought, that for people of knowledge it would be 10 sec to give me >the right answer :-) > >There is an interesting issue of high-jacking a session on a .net >application (surely founded in bad programming rather than the >framework) but I'd be interested if such a thing is possible with >tomcat too. > >For german-speaking people : >http://www.goodguy.de/Sicherheitsluecke_Neu_de/ > >For all the others, is it possible to overwrite the tomcat issued >session (cookie session) by attaching a different session in the url? > >regards >Leon > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
