Hi list. I've got an issue which I would like to share with you guys.
My webapp requires a user to login, which on his turn creates a session for that user. Now, when I browse my webapp the address bar shows the current URL with a JSESSIONID. Let's say: http://testweb/testpageaction.do;jsessionid=SD23SL4DE134ADFF565D If I execute this same URL in another machine, then I am able to browse my webapp, as if I was logged in. I expected the session to be invalid for this request. I've searched Google for jsessionid hijacking and found some ways to avoid jsessionid to appear in the URL, or at least to ignore jsessionid's passed by URL. However, as the jsessionid URL rewriting is defined in the servlet specification, I would expect this to be secure. Therefor I was wondering whether the hijacking is caused by a misconfiguration of Tomcat, my webapp or rather completely normal. I would really appreciate if someone could shed a light on this. P.S.: I'm using Tomcat 5.5.27 - jdk 1.5.0_15. Thanks in advance. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
