jsessionid is the only way to indentity the user logined. if you get it ,you are this user.
but? we can check others , for example IP! ----- Original Message ----- From: "Pieter Temmerman" <ptemmerman....@sadiel.es> To: "Tomcat Users List" <users@tomcat.apache.org> Sent: Friday, March 13, 2009 5:15 PM Subject: JSESSIONID hijacking > Hi list. > > I've got an issue which I would like to share with you guys. > > My webapp requires a user to login, which on his turn creates a session > for that user. > > Now, when I browse my webapp the address bar shows the current URL with > a JSESSIONID. Let's say: > http://testweb/testpageaction.do;jsessionid=SD23SL4DE134ADFF565D > > If I execute this same URL in another machine, then I am able to browse > my webapp, as if I was logged in. I expected the session to be invalid > for this request. > > I've searched Google for jsessionid hijacking and found some ways to > avoid jsessionid to appear in the URL, or at least to ignore > jsessionid's passed by URL. > > However, as the jsessionid URL rewriting is defined in the servlet > specification, I would expect this to be secure. > > Therefor I was wondering whether the hijacking is caused by a > misconfiguration of Tomcat, my webapp or rather completely normal. > > I would really appreciate if someone could shed a light on this. > > P.S.: I'm using Tomcat 5.5.27 - jdk 1.5.0_15. > > Thanks in advance. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
