-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dave,
Dave wrote: > Is there a solution for this scenario? the same security hole for > cookie based session tracking? In our case, we have to use URL > rewriting because sometimes a new session is needed when users click > some links on pages. > > In my opinion, session id is not sufficient to identify a session, it > should have client's ip address for more security. Tomcat's built-in authentication and authorization do not support what you describe, but you could extend those classes and customize them to meet your needs. Securityfilter (http://securityfilter.sourceforge.net) is another option, and that particular feature is in the pipeline but not yet available. Again, self-customization is an option, there, too. Don't forget that forcing IP checking might not work for some customers who go through proxies that play games with the user's IP address (AOL used to do this... not sure if they still do). - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHaKGr9CaO5/Lv0PARAiHaAJ4kO4PTbnlq0MtTZct/2/agTbJVvACcCJ6/ 8HWD+1ge1wMQ3AZjBFxp71E= =dOR3 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
