Thank you.
I was wondering, over and above encrypting the communications channel how
does HTTPS help to prevent session ID hijacking?
Regards
Paul Roberts.
From: "Peter Crowther" <[EMAIL PROTECTED]>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
To: "Tomcat Users List" <users@tomcat.apache.org>
Subject: RE: Tomcat IP and Session ID's
Date: Fri, 24 Feb 2006 11:51:44 -0000
> From: Paul Roberts [mailto:[EMAIL PROTECTED]
> I have a question regarding IP address and session ID's.
>
> If a user on IP Address 1 connects to the Tomcat server and is given
> session ID A, what happens if that session ID is hijacked by
> someone on
> IP address 2 and then used for a further request. How would the
> different version of Tomcat react to this, if at all.
> Specifically does
> Tomcat hold a relationship between IP address and session ID which is
> checked on each subsequent request.
No. In fact, Tomcat should not do so - some users access Web servers
via a farm of proxy servers, and different servers in the farm (with
different IP addresses) might make different requests for the same user,
even when that user is loading (say) images on a single page.
If you want to prevent hijacking of session IDs, the session must be
over HTTPS, not HTTP.
- Peter
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
_________________________________________________________________
Are you using the latest version of MSN Messenger? Download MSN Messenger
7.5 today! http://messenger.msn.co.uk
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
