;jsessionid=SD23SL4DE134ADFF565D
If I execute this same URL in another machine, then I am able to browse
my webapp, as if I was logged in. I expected the session to be invalid
for this request.
I've searched Google for jsessionid hijacking and found some ways to
avoid jsessionid to appear in the URL
PM
Subject: JSESSIONID hijacking
Hi list.
I've got an issue which I would like to share with you guys.
My webapp requires a user to login, which on his turn creates a session
for that user.
Now, when I browse my webapp the address bar shows the current URL with
a JSESSIONID. Let's say
From: Pieter Temmerman [mailto:ptemmerman@sadiel.es]
However, as the jsessionid URL rewriting is defined in the servlet
specification, I would expect this to be secure.
Why, out of interest?
Therefor I was wondering whether the hijacking is caused by a
misconfiguration of Tomcat, my
However, as the jsessionid URL rewriting is defined in the servlet
specification, I would expect this to be secure.
Why, out of interest?
I don't know. It just seemed way to easy to hijack a session, so I
supposed it must be secure.
It's completely normal. Other frameworks have exactly
From: Pieter Temmerman [mailto:ptemmerman@sadiel.es]
I don't know. It just seemed way to easy to hijack a session, so I
supposed it must be secure.
Large portions of the web architecture are insecure by their original design.
This makes security in web-based systems... erm.. a challenge
2009/3/13 zhaoxueqing zhaoxueq...@g-data.com.cn:
jsessionid is the only way to indentity the user logined.
if you get it ,you are this user.
but? we can check others , for example IP!
But we can *still* do IP spoofing. Any other better recomendation?
This issue is one of my concern also.
--
Just a word about associating a given session to one IP address, it
works alright and sure is a security enhancement - not sure though if
there are built-in support for that in tomcat though it can be
implemented at application layer. The major drawback of doing so
depends of your user's ISP IPs
From: Zaki Akhmad [mailto:zakiakh...@gmail.com]
2009/3/13 zhaoxueqing zhaoxueq...@g-data.com.cn:
jsessionid is the only way to indentity the user logined.
if you get it ,you are this user.
but? we can check others , for example IP!
Difficult, depending on your environment. Some ISPs run
/testpageaction.do;jsessionid=SD23SL4DE134ADFF565D
If I execute this same URL in another machine, then I am able to browse
my webapp, as if I was logged in. I expected the session to be invalid
for this request.
I've searched Google for jsessionid hijacking and found some ways to
avoid jsessionid