-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Lo,
On 4/17/14, 10:44 AM, Sauvel Laurent wrote: > 1. Before testing the code below with different Tomcat > configurations, I would like to know if there is a better way to > do what I want. I'm not really satisfied with this code that is > closely related to Tomcat classes. You are trying to fetch a value from a Tomcat-specific configuration... why do you think you can do this in a non-Tomcat-specific way? > 2. The original problem is that I would like to: > > a) prevent Tomcat (6.0.x, including versions older than 6.0.30) > from adding the ";jsessionid=xxx" string to the URL when there is > no cookie named JSESSIONID in the client browser Use a Filter, just like everybody else. This will work in any container. > b) prevent jsessionid hijacking via the url, i.e redirect to an > error page when the "jsessionid=" string is detected in the URL You can do this with a Filter, too. No Tomcat-specific code necessary. AFAICT, you don't need to sniff/set the disableURLRewriting attribute value at all. Just FYI, preventing "jsessionid hijacking" does not prevent session hijacking at all. Forging the JSESSIONID cookie is just as easy as forging a jsessiondi URL path parameter. The difference is that you can't email a cookie-laden URL to someone. The real way to prevent session hijacking is to change the session id after a login, which is exactly what Tomcat already does for you, so you shouldn't have to worry about it at all. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTUY3dAAoJEBzwKT+lPKRYzgEP/3dXC9Eq0MGpunHdS/iWwbRF h83Zodu6Q4VMfj9ugvCdch4MtkAMMoLJCX+eFD9BsDmI+Y+Uou1A1ogL36u/5Lxh QyTt8T7BJIs6ZJK/FemCbzKbNPwAfJXZZ0BqWiG/lSE9ZvmI8Pn/DHHIylZZKEMe /dTYiNKxEChl7U2qzs/vY5Gh8xzoKnB0JXvVxozVjRgnw9UiWKUlLWy7WvN1YjJF 4ET0FcMaRIJbiEIxmPMAaHkQSs8ctApU2WMASUS+zqiNnJ9iLMEfyG+ime5PispG JkmR9EAKk2Y/epKy7BAgBIHpGLiHA0H+knEP7ITJj1kWYvZF5IPO9FwR/TMsKTyl PhpU80ZF5U8S7du2qAK5K438ms2E/oWTqVAf4yOtsZrIk4C5p5E2ZV4j4anzpwgf cTiZHTJhIM6TerYDdReEE11DjH14nPmeV/V/OHLHUEUMhblfhH1TsvDnESsZ0YK3 fq0qIsmHSgy5Nec2jCe+bUKomYruZBkMzoHL0JbqYW9UYRvoFgRWDJLzs3PVIfZi PKArFozMM7+Ggv8irzNSmnyiT/v6TIo8axmIEYrmJAKWXiIHHuQBMdyJ5ntv66+w hwm5d/zVn35QVdfGHWMeZG2Cn4z9ch7Gb4zv94M5cJQ9QaIKu5aZPDj9QuJ3RYUM R8zWdkTyDumXntA7nJdY =tWIu -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
