https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
--- Comment #8 from Dillon Sellars <dill.sell...@gmail.com> 2009-03-23 07:34:47 PST --- It's worth mentioning that checking request.isRequestedSessionIdFromURL() won't stop session fixation attacks. The first request to Tomcat where a session is created will put the JSESSIONID in both the cookie and querystring. An attacker can shoulder-surf and read the JSESSIONID from the URL and craft their own JSESSIONID cookie. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org