By encrypting the entire conversation, including the cookies. Remember that SSL is wrapped around http, otherwise we could support multiple named virtual hosts using SSL.
-----Original Message----- From: Paul Roberts [mailto:[EMAIL PROTECTED] Sent: Friday, February 24, 2006 9:23 AM To: users@tomcat.apache.org Subject: RE: Tomcat IP and Session ID's Thank you. I was wondering, over and above encrypting the communications channel how does HTTPS help to prevent session ID hijacking? Regards Paul Roberts. >From: "Peter Crowther" <[EMAIL PROTECTED]> >Reply-To: "Tomcat Users List" <users@tomcat.apache.org> >To: "Tomcat Users List" <users@tomcat.apache.org> >Subject: RE: Tomcat IP and Session ID's >Date: Fri, 24 Feb 2006 11:51:44 -0000 > > > From: Paul Roberts [mailto:[EMAIL PROTECTED] > > I have a question regarding IP address and session ID's. > > > > If a user on IP Address 1 connects to the Tomcat server and is given > > session ID A, what happens if that session ID is hijacked by someone > > on IP address 2 and then used for a further request. How would the > > different version of Tomcat react to this, if at all. > > Specifically does > > Tomcat hold a relationship between IP address and session ID which > > is checked on each subsequent request. > >No. In fact, Tomcat should not do so - some users access Web servers >via a farm of proxy servers, and different servers in the farm (with >different IP addresses) might make different requests for the same >user, even when that user is loading (say) images on a single page. > >If you want to prevent hijacking of session IDs, the session must be >over HTTPS, not HTTP. > > - Peter > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] > _________________________________________________________________ Are you using the latest version of MSN Messenger? Download MSN Messenger 7.5 today! http://messenger.msn.co.uk --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
