On 28.05.2009 01:42, Bill Davidson wrote: > André Warnier wrote: >> Bill Davidson wrote: >> ... >> "Our application switches between them [HTTP or HTTPS] based upon >> whether there is sensitive data in the page or not." >> >> So I guess that if you did not do that, you would not be having this >> issue. >> Feasible ? > > Non-trivial. Also, there is resistance to making everything https due to > performance concerns. > > I've also been doing some more in depth analysis of the logs, and I'm > finding > some cases of IP's jumping around for the same session id even when not > switching protocols. > > I'm not even entirely sure it's proxies anymore. I'm back tracing some of > these groups of IP's and sometimes they're not even for the same ISP. > I've found mixes of AOL and Comcast as well as mixes of Comcast and > SBC. Weird. I'm starting to worry that we're generating non-unique > session id's or that there could be hackers trying to hi-jack people's > sessions. > > More research to do....
To simplify your research a little bit: you mentioned you switched cookies off in order to use the jsessionid URL parameter to log the session IDs. If you keep cookies on, then you can also log the value of the JSESSIONID cookie by using the %C syntax of Apache's CustomLog. Look at http://httpd.apache.org/docs/2.2/mod/mod_log_config.html#formats Something like %{JSESSIONID}C should work. If you want to track, whether a new session cookie has been set (because the old one was invalid), you can add e.g. \"%{Set-Cookie}o\" Regards, Rainer --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
