DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=40222>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40222 Summary: Default Tomcat configuration alows easy session hijacking Product: Tomcat 5 Version: 5.0.15 Platform: All OS/Version: All Status: NEW Severity: major Priority: P2 Component: Catalina AssignedTo: tomcat-dev@jakarta.apache.org ReportedBy: [EMAIL PROTECTED] Tomcat should not carry over a session id generated under HTTP do HTTPS requests. After authentication, the session ID becomes THE secret password. In reality, many standard servlets (including e.g. Apache MyFaces servlet) return a session ID on the first request. After switch to SSL (with authentication), the session ID is retained, thus allowing easy session hijacking. In the ideal world the session should survive the switch from HTTP to HTTPS, but the session ID must change upon switch to HTTPS. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
