> From: Paul Roberts [mailto:[EMAIL PROTECTED]
> I have a question regarding IP address and session ID's.
>
> If a user on IP Address 1 connects to the Tomcat server and is given
> session ID A, what happens if that session ID is hijacked by
> someone on
> IP address 2 and then used for a further request. How would the
> different version of Tomcat react to this, if at all.
> Specifically does
> Tomcat hold a relationship between IP address and session ID which is
> checked on each subsequent request.
No. In fact, Tomcat should not do so - some users access Web servers
via a farm of proxy servers, and different servers in the farm (with
different IP addresses) might make different requests for the same user,
even when that user is loading (say) images on a single page.
If you want to prevent hijacking of session IDs, the session must be
over HTTPS, not HTTP.
- Peter
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
