-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All,
Christopher Schultz wrote: | This is interesting for the securityfilter project, which DOES allow | drive-by logins. Hmm. I'll have to think about this one. Thanks! I checked, and a login attempt on an existing authenticated session results in securityfilter destroying the existing session and creating a new one for the new login. Existing sessions with NO authentication information are preserved, which means that securityfilter is also vulnerable to Session Fixation (which is essentially informed-session-hijacking). - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkeqOz8ACgkQ9CaO5/Lv0PDDWwCfcBx1ICpXnE15Wjb+H/H8l/qm HN0An2Reti6iy5ryEqRaIY1gbb6Vc3Gt =hjZf -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]