Hi Dave http://www.securityfocus.com/infocus/1774 suggests either implementing with SSL connector http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html
-or- Encrypt each sessionid If you dont have the former you'll definitely want to implement the latter.. heres an example http://www.spiration.co.uk/post/1199 Martin-- ----- Original Message ----- From: "Dave" <[EMAIL PROTECTED]> To: "Tomcat Users List" <users@tomcat.apache.org> Sent: Tuesday, December 18, 2007 9:09 PM Subject: tomcat session security hole > Hi, I am using URL rewriting for session tracking, ie, session id is on the URL. After I login into a web application, if someone else knows my current session id, he/she can access my account using the session id. It is ok because it is difficult for others to guess my session id. But right now I encounter an issue that will breach the security. > > Our web application is using a 3rd party payment system, when a user clicks pay button, we need to tell the payment system a return URL, a page URL to go after a user finishes with the payment system. The return url needs to have the user's session id so that he/she will not need to login again after returning from the payment system. In this case, the 3rd payment system will know the user's session id, a security hole. > > Is there a solution for this scenario? the same security hole for cookie based session tracking? In our case, we have to use URL rewriting because sometimes a new session is needed when users click some links on pages. > > In my opinion, session id is not sufficient to identify a session, it should have client's ip address for more security. > > Thanks for any ideas. > Dave > > > > > > > --------------------------------- > Looking for last minute shopping deals? Find them fast with Yahoo! Search. --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
