> From: Jasbinder Singh Bali [mailto:[EMAIL PROTECTED]
> Isn't there any feature in tomcat itself that would
> automatically take care
> of session hijacking without doing something at web application level.
Not in all cases. SSL deals with untrusted networks, but if you can't
trust the user's
Jasbinder Singh Bali wrote:
And how should i get rid of session hijacking. Is there any feature is
tomcat that takes care of it?
On 4/4/07, Mikolaj Rydzewski <[EMAIL PROTECTED]> wrote:
Jasbinder Singh Bali wrote:
>> In short, i need to demonstrate session hijacking in apache tomcat
and
>>
> From: Mikolaj Rydzewski [mailto:[EMAIL PROTECTED]
> Jasbinder Singh Bali wrote:
> > And how should i get rid of session hijacking. Is there any
> feature is
> > tomcat that takes care of it?
> Figure it out yourself, it's not so hard ;-)
>
> I.e. you can store client's IP address in a session,
Isn't there any feature in tomcat itself that would automatically take care
of session hijacking without doing something at web application level.
something like the way BadInputFilering valve in Tomcat tries to escape
certain string patterns from the GET and POST parameter names and values so
tha
: Mikolaj Rydzewski [mailto:[EMAIL PROTECTED]
Sent: 04 April 2007 16:04
To: Tomcat Users List
Subject: Re: Session Hijacking with Apache Tomcat
Jasbinder Singh Bali wrote:
> And how should i get rid of session hijacking. Is there any feature is
> tomcat that takes care of it?
Figure it out yo
Jasbinder Singh Bali wrote:
And how should i get rid of session hijacking. Is there any feature is
tomcat that takes care of it?
Figure it out yourself, it's not so hard ;-)
I.e. you can store client's IP address in a session, and compare it with
every request. If they don't match, then sessio
> From: Jasbinder Singh Bali [mailto:[EMAIL PROTECTED]
> And how should i get rid of session hijacking. Is there any feature is
> tomcat that takes care of it?
I shouldn't do your work for you, but... just hope your supervisor
doesn't read tomcat-users :-).
Demonstrate: the simplest approach is
And how should i get rid of session hijacking. Is there any feature is
tomcat that takes care of it?
On 4/4/07, Mikolaj Rydzewski <[EMAIL PROTECTED]> wrote:
Jasbinder Singh Bali wrote:
>> In short, i need to demonstrate session hijacking in apache tomcat and
>> then show measures that would be
Jasbinder Singh Bali wrote:
Hi,
I have to demonstrate Session Hijacking with Apache Tomcat to my advisor
when some precautionary measures are not taken.
Maybe securityfocus.com has some information on that?
-
To start a new
Jasbinder Singh Bali wrote:
In short, i need to demonstrate session hijacking in apache tomcat and
then show measures that would be
taken to get rid of it.
Any kind of help would be highly appreciated.
Turn off cookies, Tomcat should then rewrite URLs to include jsessionid.
Then it's trivial to
10 matches
Mail list logo