RE: Changing SessionId at every request
don't know why do you wish to do so? but it an be done. Write a filter. pass every request thru that. 1. Fetch the session, expire it. Server will assign new. 2. Fetch the session, don't expire the session, just append a timestamp to it. set a cookie and use that to maintain session. HTH navjot singh -Original Message- From: Gurpreet Dhanoa [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 11:44 AM To: Struts Users Mailing List Subject: Changing SessionId at every request HI, IS it possible to change the Session Id generated by the Web Server at every request for the same client. I wil make it much more clear. Say i have a Servlet running on Tomcat. what i want is when ever any User lets assume USER A ask for a request i want to change the sessionId server variable which has been gerenrated by the Web Server to uniquely identify the client. Purpose behind doing this is to make every request safe. Any suggections will be higly appreciated. Thanks in Advance Gary - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Changing SessionId at every request
I assume that Gurpreet wants to do it for security reasons and it's not a bad idea. It certainly means that nobody would be able to share a session, and so therefor a session-hijack would become obviously immediately. I think expiring the session is overkill - I would just leave the session as it is and use the filter to check and change my own hand-rolled session id. Adam On 12/03/2003 08:20 AM Navjot Singh wrote: don't know why do you wish to do so? but it an be done. Write a filter. pass every request thru that. 1. Fetch the session, expire it. Server will assign new. 2. Fetch the session, don't expire the session, just append a timestamp to it. set a cookie and use that to maintain session. HTH navjot singh -Original Message- From: Gurpreet Dhanoa [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 11:44 AM To: Struts Users Mailing List Subject: Changing SessionId at every request HI, IS it possible to change the Session Id generated by the Web Server at every request for the same client. I wil make it much more clear. Say i have a Servlet running on Tomcat. what i want is when ever any User lets assume USER A ask for a request i want to change the sessionId server variable which has been gerenrated by the Web Server to uniquely identify the client. Purpose behind doing this is to make every request safe. Any suggections will be higly appreciated. Thanks in Advance Gary - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- struts 1.1 + tomcat 5.0.14 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Changing SessionId at every request
hi Adam You are on the right track in understanding my concern. Anyway i have madeit possible. But now there is a small new issue. it is I want to access the sessionId of another Web Server into some other web server. I meant say i have a domain A on Server A, I want to access the sessionId of Domain A onto the Domain B on Server B. I think this is a very strange question but i have been asked the same. ANy help of you guys Thanks Gary - Original Message - From: Adam Hardy [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 3:03 PM Subject: Re: Changing SessionId at every request I assume that Gurpreet wants to do it for security reasons and it's not a bad idea. It certainly means that nobody would be able to share a session, and so therefor a session-hijack would become obviously immediately. I think expiring the session is overkill - I would just leave the session as it is and use the filter to check and change my own hand-rolled session id. Adam On 12/03/2003 08:20 AM Navjot Singh wrote: don't know why do you wish to do so? but it an be done. Write a filter. pass every request thru that. 1. Fetch the session, expire it. Server will assign new. 2. Fetch the session, don't expire the session, just append a timestamp to it. set a cookie and use that to maintain session. HTH navjot singh -Original Message- From: Gurpreet Dhanoa [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 11:44 AM To: Struts Users Mailing List Subject: Changing SessionId at every request HI, IS it possible to change the Session Id generated by the Web Server at every request for the same client. I wil make it much more clear. Say i have a Servlet running on Tomcat. what i want is when ever any User lets assume USER A ask for a request i want to change the sessionId server variable which has been gerenrated by the Web Server to uniquely identify the client. Purpose behind doing this is to make every request safe. Any suggections will be higly appreciated. Thanks in Advance Gary - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- struts 1.1 + tomcat 5.0.14 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Changing SessionId at every request
ahhh... ok I think I see what you mean So by 'hand rolled' sessionId what you mean is some kind of token that must be submitted with each request to verify that it came from the real client? (Rather like the token mechanism used to detect double submissions) If he is after real security though, I would think using SSL might be a safer option - though the performance is lower. -Original Message- From: Adam Hardy [mailto:[EMAIL PROTECTED] Sent: Wednesday, 3 December 2003 17:33 To: Struts Users Mailing List Subject: Re: Changing SessionId at every request I assume that Gurpreet wants to do it for security reasons and it's not a bad idea. It certainly means that nobody would be able to share a session, and so therefor a session-hijack would become obviously immediately. I think expiring the session is overkill - I would just leave the session as it is and use the filter to check and change my own hand-rolled session id. Adam On 12/03/2003 08:20 AM Navjot Singh wrote: don't know why do you wish to do so? but it an be done. Write a filter. pass every request thru that. 1. Fetch the session, expire it. Server will assign new. 2. Fetch the session, don't expire the session, just append a timestamp to it. set a cookie and use that to maintain session. HTH navjot singh -Original Message- From: Gurpreet Dhanoa [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 11:44 AM To: Struts Users Mailing List Subject: Changing SessionId at every request HI, IS it possible to change the Session Id generated by the Web Server at every request for the same client. I wil make it much more clear. Say i have a Servlet running on Tomcat. what i want is when ever any User lets assume USER A ask for a request i want to change the sessionId server variable which has been gerenrated by the Web Server to uniquely identify the client. Purpose behind doing this is to make every request safe. Any suggections will be higly appreciated. Thanks in Advance Gary - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- struts 1.1 + tomcat 5.0.14 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Changing SessionId at every request
Hi Andrew You are right . I can implement SSL but there must be a solution for this trouble right Thanks Gary - Original Message - From: Andrew Hill [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 3:14 PM Subject: RE: Changing SessionId at every request ahhh... ok I think I see what you mean So by 'hand rolled' sessionId what you mean is some kind of token that must be submitted with each request to verify that it came from the real client? (Rather like the token mechanism used to detect double submissions) If he is after real security though, I would think using SSL might be a safer option - though the performance is lower. -Original Message- From: Adam Hardy [mailto:[EMAIL PROTECTED] Sent: Wednesday, 3 December 2003 17:33 To: Struts Users Mailing List Subject: Re: Changing SessionId at every request I assume that Gurpreet wants to do it for security reasons and it's not a bad idea. It certainly means that nobody would be able to share a session, and so therefor a session-hijack would become obviously immediately. I think expiring the session is overkill - I would just leave the session as it is and use the filter to check and change my own hand-rolled session id. Adam On 12/03/2003 08:20 AM Navjot Singh wrote: don't know why do you wish to do so? but it an be done. Write a filter. pass every request thru that. 1. Fetch the session, expire it. Server will assign new. 2. Fetch the session, don't expire the session, just append a timestamp to it. set a cookie and use that to maintain session. HTH navjot singh -Original Message- From: Gurpreet Dhanoa [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 11:44 AM To: Struts Users Mailing List Subject: Changing SessionId at every request HI, IS it possible to change the Session Id generated by the Web Server at every request for the same client. I wil make it much more clear. Say i have a Servlet running on Tomcat. what i want is when ever any User lets assume USER A ask for a request i want to change the sessionId server variable which has been gerenrated by the Web Server to uniquely identify the client. Purpose behind doing this is to make every request safe. Any suggections will be higly appreciated. Thanks in Advance Gary - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- struts 1.1 + tomcat 5.0.14 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[OT] Re: Changing SessionId at every request
Will Hartung is asking the same questions just hours ago in the thread cross-site single sign on on the tomcat user list - so you are not alone. However I don't have any experience with this ( it's getting OT). Sorry. Following is an interesting bit from his message: Now, if you have sitea.com and siteb.com, then the cookie technique can't work (as neither can set a cookie for the other). So, I'm thinking that you can do something similiar, a signed token, in a hidden field and then having to submit a form to get to the new site. Of course, you can always stick the token on the URL as well. On 12/03/2003 10:42 AM Gurpreet Dhanoa wrote: hi Adam You are on the right track in understanding my concern. Anyway i have madeit possible. But now there is a small new issue. it is I want to access the sessionId of another Web Server into some other web server. I meant say i have a domain A on Server A, I want to access the sessionId of Domain A onto the Domain B on Server B. I think this is a very strange question but i have been asked the same. ANy help of you guys Thanks Gary - Original Message - From: Adam Hardy [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 3:03 PM Subject: Re: Changing SessionId at every request I assume that Gurpreet wants to do it for security reasons and it's not a bad idea. It certainly means that nobody would be able to share a session, and so therefor a session-hijack would become obviously immediately. I think expiring the session is overkill - I would just leave the session as it is and use the filter to check and change my own hand-rolled session id. Adam On 12/03/2003 08:20 AM Navjot Singh wrote: don't know why do you wish to do so? but it an be done. Write a filter. pass every request thru that. 1. Fetch the session, expire it. Server will assign new. 2. Fetch the session, don't expire the session, just append a timestamp to it. set a cookie and use that to maintain session. HTH navjot singh -Original Message- From: Gurpreet Dhanoa [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 11:44 AM To: Struts Users Mailing List Subject: Changing SessionId at every request HI, IS it possible to change the Session Id generated by the Web Server at every request for the same client. I wil make it much more clear. Say i have a Servlet running on Tomcat. what i want is when ever any User lets assume USER A ask for a request i want to change the sessionId server variable which has been gerenrated by the Web Server to uniquely identify the client. Purpose behind doing this is to make every request safe. Any suggections will be higly appreciated. Thanks in Advance Gary -- struts 1.1 + tomcat 5.0.14 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Changing SessionId at every request
Gary, to be really honest, what you're trying to do is implement an SSL-like mechanism without using SSL. This is exactly the situation that SSL is designed to guarantee from a Server perspective (that a single connection is actually with a single client and hasn't been hijacked in any way). It might just be faster (from a development perspective) to just go with SSL in production. Any particular reason you're reluctant to go with an SSL-based solution? Kirk Wylie M7 Corporation Gurpreet Dhanoa wrote: Hi Andrew You are right . I can implement SSL but there must be a solution for this trouble right Thanks Gary - Original Message - From: Andrew Hill [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 3:14 PM Subject: RE: Changing SessionId at every request ahhh... ok I think I see what you mean So by 'hand rolled' sessionId what you mean is some kind of token that must be submitted with each request to verify that it came from the real client? (Rather like the token mechanism used to detect double submissions) If he is after real security though, I would think using SSL might be a safer option - though the performance is lower. -Original Message- From: Adam Hardy [mailto:[EMAIL PROTECTED] Sent: Wednesday, 3 December 2003 17:33 To: Struts Users Mailing List Subject: Re: Changing SessionId at every request I assume that Gurpreet wants to do it for security reasons and it's not a bad idea. It certainly means that nobody would be able to share a session, and so therefor a session-hijack would become obviously immediately. I think expiring the session is overkill - I would just leave the session as it is and use the filter to check and change my own hand-rolled session id. Adam On 12/03/2003 08:20 AM Navjot Singh wrote: don't know why do you wish to do so? but it an be done. Write a filter. pass every request thru that. 1. Fetch the session, expire it. Server will assign new. 2. Fetch the session, don't expire the session, just append a timestamp to it. set a cookie and use that to maintain session. HTH navjot singh -Original Message- From: Gurpreet Dhanoa [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 11:44 AM To: Struts Users Mailing List Subject: Changing SessionId at every request HI, IS it possible to change the Session Id generated by the Web Server at every request for the same client. I wil make it much more clear. Say i have a Servlet running on Tomcat. what i want is when ever any User lets assume USER A ask for a request i want to change the sessionId server variable which has been gerenrated by the Web Server to uniquely identify the client. Purpose behind doing this is to make every request safe. Any suggections will be higly appreciated. Thanks in Advance Gary - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- struts 1.1 + tomcat 5.0.14 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Changing SessionId at every request
huh? This is a joke right? -Original Message- From: Gurpreet Dhanoa [mailto:[EMAIL PROTECTED] Sent: Wednesday, 3 December 2003 14:14 To: Struts Users Mailing List Subject: Changing SessionId at every request HI, IS it possible to change the Session Id generated by the Web Server at every request for the same client. I wil make it much more clear. Say i have a Servlet running on Tomcat. what i want is when ever any User lets assume USER A ask for a request i want to change the sessionId server variable which has been gerenrated by the Web Server to uniquely identify the client. Purpose behind doing this is to make every request safe. Any suggections will be higly appreciated. Thanks in Advance Gary - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]