-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chuck,
On 5/13/2009 8:16 AM, Caldarale, Charles R wrote: >> From: umeshkavade [mailto:umeshkav...@yahoo.co.in] >> Subject: Re: Form Based Authentication creates user session before it >> is authenticated? >> >> P.S: BTW, is Tomcat planning to resolve this vulnerability in near >> future? > > I'll bite: what "vulnerability" are you referring to? "Session fixation" which is essentially a form of session hijacking. Basically, you get yourself a session and a session id from the server. You write that down and walk away. Then, you trick someone else into sitting down and logging-in. Since the session id does not change, you can go to another machine, hijack the user's session, and impersonate them. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkoMY7EACgkQ9CaO5/Lv0PAVuQCgq3BW343Iydg+ZAfaT4y0sWup EjQAnRTFEa0KRoPlNQtNwiL51hAk3MbW =i/jw -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
