Re: META - Thread Hijacking

On 02/09/2010 01:47, Len Popp wrote: > On Wed, Sep 1, 2010 at 19:08, Konstantin Kolinko > wrote: >> Have you ever searched the list archives? > > Good idea... > http://tomcat.markmail.org/search/?q=hijack#query:hijack%20list%3Aorg.apache.tomcat.users+page:1+state:facets > More than 700 messages!

Re: META - Thread Hijacking

On Wed, Sep 1, 2010 at 19:08, Konstantin Kolinko wrote: > Have you ever searched the list archives? Good idea... http://tomcat.markmail.org/search/?q=hijack#query:hijack%20list%3Aorg.apache.tomcat.users+page:1+state:facets More than 700 messages! Really, is there a reason they all need to be sent

Re: META - Thread Hijacking

> Have you ever searched the list archives? Hijacked threads are > harmful. I appreciate those complaints being on the list, so that I > won't waste my time replying (and increasing the mess). > In that case the answer is yes. I should read this in a threaded client. -

Re: META - Thread Hijacking

2010/9/2 Len Popp : > On Wed, Sep 1, 2010 at 18:06, Christopher Schultz > wrote: >> In the end, it's mostly up to the user's own personal preference which >> way things should go. Those of us whose mail clients respect the >> thread-id in the SMTP headers can see immediately when someone hijacks a

RE: META - Thread Hijacking

--Original Message- > From: Len Popp [mailto:len.p...@gmail.com] > Sent: Wednesday, September 01, 2010 4:28 PM > To: Tomcat Users List > Subject: Re: META - Thread Hijacking > > On Wed, Sep 1, 2010 at 18:06, Christopher Schultz > wrote: > > In the end, it's mostl

Re: META - Thread Hijacking

On Wed, Sep 1, 2010 at 18:06, Christopher Schultz wrote: > In the end, it's mostly up to the user's own personal preference which > way things should go. Those of us whose mail clients respect the > thread-id in the SMTP headers can see immediately when someone hijacks a > thread. Those folks have

Re: META - Thread Hijacking

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Wesley, On 9/1/2010 5:39 PM, Wesley Acheson wrote: > I've seen complaints about thread hijacking but I always see them as > different threads in my mail client. (Gmail) should I be using > different software to subscribe to the lis

RE: META - Thread Hijacking

> From: Wesley Acheson [mailto:wesley.ache...@gmail.com] > Subject: META - Thread Hijacking > I've seen complaints about thread hijacking but I always see > them as different threads in my mail client. Newer e-mail readers tend to ignore much of the SMTP header information and

META - Thread Hijacking

I've seen complaints about thread hijacking but I always see them as different threads in my mail client. (Gmail) should I be using different software to subscribe to the list I think I've replied to them (threadjacks) a few tim

Re: Hijacking

Sorry, i'll remember this not just for you, but for everyone to specifically use new for new threads. -- From: "ULS Tech Support" Sent: Tuesday, October 20, 2009 1:13 PM To: "Tomcat Users List" ; Subject: Re: Hijacking

Re: Hijacking

Fair enough... I didn't think it was a big deal to do that... clicking new instead of reply... But really, i am still asking a valid question and require help... Didn't realize that this thread hijacking was going to cause someone to tell me what i did wrong, when i still h

Hijacking

On 20/10/2009 19:02, ULS Tech Support wrote: Tell me how i hijacked my own thread? As I described. See? This is my own thread.. and i actually modified the last one i sent out, cleared everything and typed out brand new. Umm, yes, that would be what we call hijacking. You hijacked a

Re: JSESSIONID hijacking

://testweb/testpageaction.do;jsessionid=SD23SL4DE134ADFF565D If I execute this same URL in another machine, then I am able to browse my webapp, as if I was logged in. I expected the session to be invalid for this request. I've searched Google for jsessionid hijacking and found some ways to a

RE: JSESSIONID hijacking

> From: Zaki Akhmad [mailto:zakiakh...@gmail.com] > 2009/3/13 zhaoxueqing : > > > jsessionid is the only way to indentity the user logined. > > if you get it ,you are this user. > > but? we can check others , for example IP! Difficult, depending on your environment. Some ISPs run large proxy clus

Re: JSESSIONID hijacking

Just a word about associating a given session to one IP address, it works alright and sure is a security enhancement - not sure though if there are built-in support for that in tomcat though it can be implemented at application layer. The major drawback of doing so depends of your user's ISP IPs ma

Re: JSESSIONID hijacking

2009/3/13 zhaoxueqing : > jsessionid is the only way to indentity the user logined. > if you get it ,you are this user. > but? we can check others , for example IP! But we can *still* do IP spoofing. Any other better recomendation? This issue is one of my concern also. -- Zaki Akhmad -

RE: JSESSIONID hijacking

> From: Pieter Temmerman [mailto:ptemmerman@sadiel.es] > I don't know. It just seemed way to easy to hijack a session, so I > supposed it must be secure. Large portions of the web architecture are insecure by their original design. This makes security in web-based systems... erm.. "a challen

RE: JSESSIONID hijacking

> > However, as the jsessionid URL rewriting is defined in the servlet > > specification, I would expect this to be secure. > > Why, out of interest? I don't know. It just seemed way to easy to hijack a session, so I supposed it must be secure. > It's completely normal. Other frameworks have ex

RE: JSESSIONID hijacking

> From: Pieter Temmerman [mailto:ptemmerman@sadiel.es] > However, as the jsessionid URL rewriting is defined in the servlet > specification, I would expect this to be secure. Why, out of interest? > Therefor I was wondering whether the hijacking is caused by a > misconfigur

Re: JSESSIONID hijacking

jsessionid is the only way to indentity the user logined. if you get it ,you are this user. but? we can check others , for example IP! - Original Message - From: "Pieter Temmerman" To: "Tomcat Users List" Sent: Friday, March 13, 2009 5:15 PM Subject: JSESSIO

JSESSIONID hijacking

eaction.do;jsessionid=SD23SL4DE134ADFF565D If I execute this same URL in another machine, then I am able to browse my webapp, as if I was logged in. I expected the session to be invalid for this request. I've searched Google for jsessionid hijacking and found some ways to avoid jsessionid to appear in

RE: Session Hijacking with Apache Tomcat

> From: Jasbinder Singh Bali [mailto:[EMAIL PROTECTED] > Isn't there any feature in tomcat itself that would > automatically take care > of session hijacking without doing something at web application level. Not in all cases. SSL deals with untrusted networks, but if you can&#

Re: Session Hijacking with Apache Tomcat

Jasbinder Singh Bali wrote: And how should i get rid of session hijacking. Is there any feature is tomcat that takes care of it? On 4/4/07, Mikolaj Rydzewski <[EMAIL PROTECTED]> wrote: Jasbinder Singh Bali wrote: >> In short, i need to demonstrate session hijacking in apache

[OT] RE: Session Hijacking with Apache Tomcat

> From: Mikolaj Rydzewski [mailto:[EMAIL PROTECTED] > Jasbinder Singh Bali wrote: > > And how should i get rid of session hijacking. Is there any > feature is > > tomcat that takes care of it? > Figure it out yourself, it's not so hard ;-) > > I.e. you can sto

Re: Session Hijacking with Apache Tomcat

Isn't there any feature in tomcat itself that would automatically take care of session hijacking without doing something at web application level. something like the way BadInputFilering valve in Tomcat tries to escape certain string patterns from the GET and POST parameter names and valu

RE: Session Hijacking with Apache Tomcat

: Mikolaj Rydzewski [mailto:[EMAIL PROTECTED] Sent: 04 April 2007 16:04 To: Tomcat Users List Subject: Re: Session Hijacking with Apache Tomcat Jasbinder Singh Bali wrote: > And how should i get rid of session hijacking. Is there any feature is > tomcat that takes care of it? Figure it out yo

Re: Session Hijacking with Apache Tomcat

Jasbinder Singh Bali wrote: And how should i get rid of session hijacking. Is there any feature is tomcat that takes care of it? Figure it out yourself, it's not so hard ;-) I.e. you can store client's IP address in a session, and compare it with every request. If they don

RE: Session Hijacking with Apache Tomcat

> From: Jasbinder Singh Bali [mailto:[EMAIL PROTECTED] > And how should i get rid of session hijacking. Is there any feature is > tomcat that takes care of it? I shouldn't do your work for you, but... just hope your supervisor doesn't read tomcat-users :-). Demonstrate: the s

Re: Session Hijacking with Apache Tomcat

And how should i get rid of session hijacking. Is there any feature is tomcat that takes care of it? On 4/4/07, Mikolaj Rydzewski <[EMAIL PROTECTED]> wrote: Jasbinder Singh Bali wrote: >> In short, i need to demonstrate session hijacking in apache tomcat and >> then show meas

Re: Session Hijacking with Apache Tomcat

Jasbinder Singh Bali wrote: Hi, I have to demonstrate Session Hijacking with Apache Tomcat to my advisor when some precautionary measures are not taken. Maybe securityfocus.com has some information on that? - To start a new

Re: Session Hijacking with Apache Tomcat

Jasbinder Singh Bali wrote: In short, i need to demonstrate session hijacking in apache tomcat and then show measures that would be taken to get rid of it. Any kind of help would be highly appreciated. Turn off cookies, Tomcat should then rewrite URLs to include jsessionid. Then it's tr

Session Hijacking with Apache Tomcat

Hi, I have to demonstrate Session Hijacking with Apache Tomcat to my advisor when some precautionary measures are not taken. I'm just wondering how can I do this. After a satisfactory demonstration, I need to demonstrate the steps I would take to get rid of this session hijacking. In sho

Re: session hijacking again

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mitchell, Fisher, Mitchell L wrote: >> Without SSL, though, remember that anyone who is capable of hijacking >> the session is probably also capable of sniffing your users' >> credentials. What are the implications of that? If

RE: session hijacking again

> Without SSL, though, remember that anyone who is capable of hijacking > the session is probably also capable of sniffing your users' > credentials. What are the implications of that? If it is unacceptable to > have your credentials go over the network in cleartext, then you will

Re: session hijacking again

, and it appears that session hijacking /will/ then be one of your only worries. Like AOL users, and some others going through proxies, etc. It's a relatively effective mechanism, and you might want to allow users to opt-in to this type of thing. You'll notice that some sites have a check

Re: session hijacking again

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin, Martin Gainty wrote: > SE seems definitely O/T This is not off-topic. > so please email me offline on this topic of Social Engineering This is not a question about social engineering. > Perhaps this is a project which the government never

Re: session hijacking again

e le reproduire. - Original Message - From: "John Caron" <[EMAIL PROTECTED]> To: "Tomcat Users List" Sent: Monday, January 29, 2007 3:17 PM Subject: Re: session hijacking again Hi Peter: Peter Stavrinides wrote: Do you use Java? yes We are a financial inst

Re: session hijacking again

riginal Message - From: "John Caron" <[EMAIL PROTECTED]> To: "Tomcat Users List" Sent: Monday, January 29, 2007 3:17 PM Subject: Re: session hijacking again > Hi Peter: > > Peter Stavrinides wrote: >> Do you use Java? > > yes > >&g

Re: session hijacking again

ession hijacking /will/ then be one of your only worries. >> Like AOL users, and some others going through proxies, etc. It's a >> relatively effective mechanism, and you might want to allow users to >> opt-in to this type of thing. You'll notice that some sites have a >&

Re: session hijacking again

Hi Peter: Peter Stavrinides wrote: Do you use Java? yes We are a financial institution, we use a Java Framework based on servlets with SSL, but if you ask my opinion SSL is not the big issue. The vast majority of hacked sites are social engineering attacks. Secure your database (do not s

Re: session hijacking again

, February 2006. We realize this makes us vulnerable to session hijacking. Still, we arent transferring financial information, so tentatively we think its a reasonable risk. Just make sure that your users don't use the same username and password they use for their online banking. Seri

Re: session hijacking again

ld like to use session ids to reduce the login overhead. We cant afford the overhead of HTTPS encryption of teh data (3 times slower ?). We realize this makes us vulnerable to session hijacking. Still, we arent transferring financial information, so tentatively we think its a reasonable r

Re: session hijacking again

of HTTPS > encryption of teh data (3 times slower ?). I think that SSL is much slower than that. Usually, special hardware is required to make SSL perform well enough to handle heavy traffic. > We realize this makes us vulnerable to session hijacking. Still, we > arent transferring financi

session hijacking again

vulnerable to session hijacking. Still, we arent transferring financial information, so tentatively we think its a reasonable risk. The Wikipedia article (http://en.wikipedia.org/wiki/Session_hijacking) suggest a couple of things that help, that seem reasonable to me: # Some services make

RE: Session hijacking with Tomcat/Myfaces - unable to fix it

I thought it was for some reason like that and I guess more environments are closing that option off. -Original Message- From: David Rees [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 16, 2006 6:02 PM To: Tomcat Users List Subject: Re: Session hijacking with Tomcat/Myfaces - unable

Re: Session hijacking with Tomcat/Myfaces - unable to fix it

On 8/16/06, Propes, Barry L <[EMAIL PROTECTED]> wrote: From: Maurice Yarrow [mailto:[EMAIL PROTECTED] Generally, getRemoteHost() and getRemoteAddr() return the same value, but I had found a situation during testing where getRemoteAddr() returned an IP address but getRemoteHost() returned nothing

RE: Session hijacking with Tomcat/Myfaces - unable to fix it

e: Session hijacking with Tomcat/Myfaces - unable to fix it Hello Barry Generally, getRemoteHost() and getRemoteAddr() return the same value, but I had found a situation during testing where getRemoteAddr() returned an IP address but getRemoteHost() returned nothing. (That was two months ago, and I

Re: Session hijacking with Tomcat/Myfaces - unable to fix it

tions under which this occurred.) Maurice Yarrow Propes, Barry L wrote: what about getRemoteHost()? -Original Message- From: Maurice Yarrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 10, 2006 5:30 PM To: Tomcat Users List Subject: Re: Session hijacking with Tomcat/Myfaces - unable t

RE: Session hijacking with Tomcat/Myfaces - unable to fix it

mmm, ok. -Original Message- From: David Rees [mailto:[EMAIL PROTECTED] Sent: Friday, August 11, 2006 2:51 PM To: Tomcat Users List Subject: Re: Session hijacking with Tomcat/Myfaces - unable to fix it On 8/11/06, Propes, Barry L <[EMAIL PROTECTED]> wrote: > what about getR

Re: Session hijacking with Tomcat/Myfaces - unable to fix it

On 8/11/06, Propes, Barry L <[EMAIL PROTECTED]> wrote: what about getRemoteHost()? getRemoteHost is simply a getRemoteAddr with a reverse DNS lookup thrown on top. No additional security there, in fact one could argue that there is less. -Dave -

RE: Session hijacking with Tomcat/Myfaces - unable to fix it

what about getRemoteHost()? -Original Message- From: Maurice Yarrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 10, 2006 5:30 PM To: Tomcat Users List Subject: Re: Session hijacking with Tomcat/Myfaces - unable to fix it Hello David, Tomas: About two months ago, I tried using the

Re: Session hijacking with Tomcat/Myfaces - unable to fix it

Maurice Yarrow wrote: Thanks for adding this thought. As per my previous note on this subject, in light of your (relative) confidence in using IP, maybe I _should_ reconsider the getRemoteAddr() and simply use it as an addt'l advisory for making session auth decision on successive pages as the

Re: Session hijacking with Tomcat/Myfaces - unable to fix it

Tomas Hulek wrote: Unfortunately, filters are skipped (ie. not called at all) when form-based login page is processed as a result of client requesting a secure area. We tried that too... By the way, the original URL that the client requested is hidden in the session in a way which prevents the

Re: Session hijacking with Tomcat/Myfaces - unable to fix it

e this sort of thing before with success and the filter is pretty lightweight, so there is little performance impact. -marc --- Tomas Hulek <[EMAIL PROTECTED]> wrote: > The default Tomcat installation is prone to session > hijacking. I would > appreciate help how to fix it. >

Re: Session hijacking with Tomcat/Myfaces - unable to fix it

session ID and all) and email it to friends and company? Session hijacking is a potential problem with all web apps, regardless of technology. The only thing we can do, falling short of making the user authenticate with each request, is to determine the right balance between content security and

Re: Session hijacking with Tomcat/Myfaces - unable to fix it

Hello David, Tomas: About two months ago, I tried using the getRemoteAddr() for doing IP check as an addtional auth metric, but found exactly than on local net, this did not discriminate in many cases and only a single IP was returned for hosts on LAN. So I decided that there was too much ambigu

Re: Session hijacking with Tomcat/Myfaces - unable to fix it

nds and company? Session hijacking is a potential problem with all web apps, regardless of technology. The only thing we can do, falling short of making the user authenticate with each request, is to determine the right balance between content security and risk. For most applications, I would

Re: Session hijacking with Tomcat/Myfaces - unable to fix it

I wonder if associating (and checking) the request IP with the session would reduce the problem to some acceptable level. What is the chance of a session being hijacked from the same network (face-ip)? Another question is can the original request IP be spoofed? In this case the chances are rela

Re: Session hijacking with Tomcat/Myfaces - unable to fix it

Subject "Tomcat Users Re: Session hijacking with List" Tomcat/Myfaces - unable to fix it <[EMAIL PROTECTED]

Re: Session hijacking with Tomcat/Myfaces - unable to fix it

- From: "Tomas Hulek" <[EMAIL PROTECTED]> To: "Tomcat Users List" Sent: Thursday, August 10, 2006 12:06 PM Subject: Re: Session hijacking with Tomcat/Myfaces - unable to fix it > > We have tried it, but the internal session attributes where Tomcat stores >

Re: Session hijacking with Tomcat/Myfaces - unable to fix it

Subject "Tomcat Users Re: Session hijacking with List" Tomcat/Myfaces - unable to fix it <[EMAIL PROTECTED]

Re: Session hijacking with Tomcat/Myfaces - unable to fix it

13:16 cc Please respond to Subject "Tomcat Users Re: Session hijacking with

Re: Session hijacking with Tomcat/Myfaces - unable to fix it

Well HTTP Cookies have a solution to this problem. They have a "Secure" keyword in the Set-Cookie line. This stops the client leaking the cookie outside of a secure channel. The problem is I dont think Tomcat keeps track and flags if a session has been exposed via a non-secure channel or

Re: Session hijacking with Tomcat/Myfaces - unable to fix it

-ID as the identifier for your users. Might be straight forward, but architecturally a bad choice if you *really* want a secure area. Kim :-) On 8/9/06, Tomas Hulek <[EMAIL PROTECTED]> wrote: The default Tomcat installation is prone to session hijacking. I would appreciate he

Re: Session hijacking with Tomcat/Myfaces - unable to fix it

Tomas Hulek wrote: > Any hints how to fix it? Again, do all access to your app under https. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail:

Re: Session hijacking with Tomcat/Myfaces - unable to fix it

gt; Kim :-) > > On 8/9/06, Tomas Hulek <[EMAIL PROTECTED]> wrote: > > > > The default Tomcat installation is prone to session hijacking. I would > > appreciate help how to fix it. > > > > The problem is that the session-id generated under HTTP (eg. for any JSF &g

Re: Session hijacking with Tomcat/Myfaces - unable to fix it

on is prone to session hijacking. I would appreciate help how to fix it. The problem is that the session-id generated under HTTP (eg. for any JSF page) is caried over to authenticated confidential pages under HTTPS. Thus the session ID can be easily sniffed under HTTP, then misused after user lo

Re: Session hijacking with Tomcat/Myfaces - unable to fix it

Tomas Hulek wrote: > The default Tomcat installation is prone to session hijacking. I would > appreciate help how to fix it. This is a more general http problem with a well known solution. Do everything over https. Mark --

Session hijacking with Tomcat/Myfaces - unable to fix it

The default Tomcat installation is prone to session hijacking. I would appreciate help how to fix it. The problem is that the session-id generated under HTTP (eg. for any JSF page) is caried over to authenticated confidential pages under HTTPS. Thus the session ID can be easily sniffed under

RE: Hijacking the coyote connector

Thanks, Charles and Bill. This has been most helpful. I will be looking and both alternatives. mike -Original Message- From: news [mailto:[EMAIL PROTECTED] On Behalf Of Bill Barker Sent: Saturday, October 15, 2005 5:56 PM To: tomcat-user@jakarta.apache.org Subject: Re: Hijacking the

Re: Hijacking the coyote connector

There should never be a reason to replace the Connector in Tomcat, since all it does is serve as a bridge. Also, in TC 5.5.x, the Connector is strongly integrated with the container code, so it is is almost certainly more trouble than it is worth to try. The recommended way to do what it sound