On Tue, Oct 18, 2005 at 12:28:31PM +0200, Ryszard Lach wrote:
> We thought, that one of possible solutions will be binding user's
> session to SSL_SESSION_ID (i.e. keeping SSL_SESSION_ID in user's session
> and comparing it at every request with ID read from this request).
>
Don't - SSL_SESSION_ID
Hi.
We are developing a java-based webapp, a kind of CMS. The problem is,
that relatively big group of it's users will have rights to create
pages, upload files etc., also upload javascript pages. In this case an
attacker will be able to steal somebody's session (e.g. creating JS page
which will r