I wonder if associating (and checking) the request IP with the session would reduce the problem to some acceptable level. What is the chance of a session being hijacked from the same network (face-ip)?
Another question is can the original request IP be spoofed? Long ----- Original Message ----- From: "Tomas Hulek" <[EMAIL PROTECTED]> To: "Tomcat Users List" <users@tomcat.apache.org> Sent: Thursday, August 10, 2006 12:06 PM Subject: Re: Session hijacking with Tomcat/Myfaces - unable to fix it > > We have tried it, but the internal session attributes where Tomcat stores > the original request are hidden to application, and are certainly not > accessible to javax.servlet.* API (and we do try to write PORTABLE > application, relying on the specification and not on the internals of one > particular servlet engine). > > Commenting on other suggestions > > 1) SSL for the whole application is not practical, there are many users who > only use the public pages and never log in. > > 2) We have implemented one workaround in the login-form > if the session was not generated under SSL do the following: > - invalidate session > - create new session and mark it as safe (generated under SSL) > - do an external redirect to a fixed, non-public page > > The last step will start the whole login process again, this time with a > safe session ID. > > > I am still not happy with it. A very enhancement in Tomcat would do: > generate new session ID after switch to HTTPS, based eg. on the SSL session > ID (to get a new, unique ID). > > Tomas > > --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
