> From: Zaki Akhmad [mailto:zakiakh...@gmail.com]
> 2009/3/13 zhaoxueqing <zhaoxueq...@g-data.com.cn>:
>
> > jsessionid is the only way to indentity the user logined.
> > if you get it ,you are this user.
> > but? we can check others , for example IP!
Difficult, depending on your environment. Some ISPs run large proxy clusters,
meaning that different requests can appear to come from different IP addresses.
> But we can *still* do IP spoofing. Any other better recomendation?
Don't just use a non-varying shared secret (a password) as login information.
Instead, use client certificate authentication (distributed by non-network
means such as USB keys) and/or a SecurID token or similar. All of which pushes
the cost of security to the point that the application may be unworkable.
What is "good enough" for your application?
- Peter
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
