-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rob,
On 10/4/2010 7:27 AM, Rob Gregory wrote: > Using the hostname doesn't really guarantee a unique session for example > if I click new tab and paste the URL into the new window I suspect the > browser will see the same session from the first tab. Note that you haven't changed the hostname in this case: you've just cloned a browser window (or "tab" if you prefer to call it that). > In our application > the user can then change the environment with disastrous consequences > when updating the database. Sounds like you need to be pretty careful. Is it possible you've built a fragile application? > Did you implement anything to stop the > session sharing at this level. What I did was to use the window.name > attribute to allow tracking of browser instances and compare this when > doing the session timeout checking and this way I am able to redirect > any further browser opens into new sessions. That's pretty fragile: relying on client-side javascript for anything security-related is very foolish. > With the exception of WEB-INF (which was due to tomcat no longer seeing > that as a WEB-INF call because I have my unique-id in the path) do you > see any security faults in what I am doing? Many: disabling javascript on the client side will break your security. An attacker overriding the javascript will break your security. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyqDOQACgkQ9CaO5/Lv0PBbSACfVhscYMSd4q13ivnaz4k6LdeQ ZmgAoKSUg6VkjFxyFr47j1260++fjhre =ct/x -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
