-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
David,
david delbecq wrote:
| I would more be thinking about applications that plays with
| sessionlistener and maintain list of active session (to track number of
| users / who is logged in, etc). Like ip-session id matching, a change
| id on the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
David,
David Delbecq wrote:
| I think this is worth submitting a security issue request on tracker,
| to ask that, at least, the container links the requester IP to the
| session.
I'm pretty sure that nobody will want to do this -- at least not
Christopher Schultz a écrit :
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
David,
David Delbecq wrote:
| I think this is worth submitting a security issue request on tracker,
| to ask that, at least, the container links the requester IP to the
| session.
I'm pretty sure that nobody will want
David, Christopher
Thank you for sharing your thoughts.
It seems to me that there is no standard solution to this problem, but you
agree with me that the problem exists.
As I mentioned before, I came up with a solution that looks promising.
Here's a rough description, I'd welcome your
I think this is worth submitting a security issue request on tracker, to
ask that, at least, the container links the requester IP to the session.
Changing session ID upon login in container would be a good thing imho,
it would ensure ID become unknown to attacker after login, wouldn't
destroy
Dear all,
I'm currently trying to find a way to fight Session Fixation
(http://www.owasp.org/index.php/Session_Fixation) in tomcat when using
the built -in mechanisms to authenticate users of a servlet. In the
environment in question, an own realm implementation is in place and
we use the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Christoph,
Christoph Lenggenhager wrote:
| I'm currently trying to find a way to fight Session Fixation
| (http://www.owasp.org/index.php/Session_Fixation) in tomcat when using
| the built -in mechanisms to authenticate users of a servlet.
I don't
Sorry Christopher, but i tried at work, it's very easy to force a user
to use a specific sessionid, and later use yourself that session id to
gain that user's credential, and for the whole session there is only one
login, the one from the user you attempt to hijack. As such, tomcat is
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
David,
david delbecq wrote:
| Sorry Christopher, but i tried at work, it's very easy to force a user
| to use a specific sessionid, and later use yourself that session id to
| gain that user's credential, and for the whole session there is only one
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
All,
Christopher Schultz wrote:
| This is interesting for the securityfilter project, which DOES allow
| drive-by logins. Hmm. I'll have to think about this one. Thanks!
I checked, and a login attempt on an existing authenticated session
results in
10 matches
Mail list logo
