RE: Session Hijacking with Apache Tomcat

> From: Jasbinder Singh Bali [mailto:[EMAIL PROTECTED] > Isn't there any feature in tomcat itself that would > automatically take care > of session hijacking without doing something at web application level. Not in all cases. SSL deals with untrusted networks, but if you can't trust the user's

Re: Session Hijacking with Apache Tomcat

Jasbinder Singh Bali wrote: And how should i get rid of session hijacking. Is there any feature is tomcat that takes care of it? On 4/4/07, Mikolaj Rydzewski <[EMAIL PROTECTED]> wrote: Jasbinder Singh Bali wrote: >> In short, i need to demonstrate session hijacking in apache tomcat and >>

[OT] RE: Session Hijacking with Apache Tomcat

> From: Mikolaj Rydzewski [mailto:[EMAIL PROTECTED] > Jasbinder Singh Bali wrote: > > And how should i get rid of session hijacking. Is there any > feature is > > tomcat that takes care of it? > Figure it out yourself, it's not so hard ;-) > > I.e. you can store client's IP address in a session,

Re: Session Hijacking with Apache Tomcat

Isn't there any feature in tomcat itself that would automatically take care of session hijacking without doing something at web application level. something like the way BadInputFilering valve in Tomcat tries to escape certain string patterns from the GET and POST parameter names and values so tha

RE: Session Hijacking with Apache Tomcat

: Mikolaj Rydzewski [mailto:[EMAIL PROTECTED] Sent: 04 April 2007 16:04 To: Tomcat Users List Subject: Re: Session Hijacking with Apache Tomcat Jasbinder Singh Bali wrote: > And how should i get rid of session hijacking. Is there any feature is > tomcat that takes care of it? Figure it out yo

Re: Session Hijacking with Apache Tomcat

Jasbinder Singh Bali wrote: And how should i get rid of session hijacking. Is there any feature is tomcat that takes care of it? Figure it out yourself, it's not so hard ;-) I.e. you can store client's IP address in a session, and compare it with every request. If they don't match, then sessio

RE: Session Hijacking with Apache Tomcat

> From: Jasbinder Singh Bali [mailto:[EMAIL PROTECTED] > And how should i get rid of session hijacking. Is there any feature is > tomcat that takes care of it? I shouldn't do your work for you, but... just hope your supervisor doesn't read tomcat-users :-). Demonstrate: the simplest approach is

Re: Session Hijacking with Apache Tomcat

And how should i get rid of session hijacking. Is there any feature is tomcat that takes care of it? On 4/4/07, Mikolaj Rydzewski <[EMAIL PROTECTED]> wrote: Jasbinder Singh Bali wrote: >> In short, i need to demonstrate session hijacking in apache tomcat and >> then show measures that would be

Re: Session Hijacking with Apache Tomcat

Jasbinder Singh Bali wrote: Hi, I have to demonstrate Session Hijacking with Apache Tomcat to my advisor when some precautionary measures are not taken. Maybe securityfocus.com has some information on that? - To start a new

Re: Session Hijacking with Apache Tomcat

Jasbinder Singh Bali wrote: In short, i need to demonstrate session hijacking in apache tomcat and then show measures that would be taken to get rid of it. Any kind of help would be highly appreciated. Turn off cookies, Tomcat should then rewrite URLs to include jsessionid. Then it's trivial to