> From: Dave [mailto:[EMAIL PROTECTED]
> Hi, I am using URL rewriting for session tracking, ie,
> session id is on the URL. After I login into a web
> application, if someone else knows my current session id,
> he/she can access my account using the session id. It is ok
> because it is difficult fo
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Dave,
Dave wrote:
> Is there a solution for this scenario? the same security hole for
> cookie based session tracking? In our case, we have to use URL
> rewriting because sometimes a new session is needed when users click
> some links on pages.
>
>
cat-5.5-doc/ssl-howto.html
-or-
Encrypt each sessionid
If you dont have the former you'll definitely want to implement the latter..
heres an example
http://www.spiration.co.uk/post/1199
Martin--
- Original Message -
From: "Dave"
To: "Tomcat Users List"
Sent: Tu
http://www.spiration.co.uk/post/1199
Martin--
- Original Message -
From: "Dave" <[EMAIL PROTECTED]>
To: "Tomcat Users List"
Sent: Tuesday, December 18, 2007 9:09 PM
Subject: tomcat session security hole
> Hi, I am using URL rewriting for session tracking, ie, session id i
Hi, I am using URL rewriting for session tracking, ie, session id is on the
URL. After I login into a web application, if someone else knows my current
session id, he/she can access my account using the session id. It is ok because
it is difficult for others to guess my session id. But right no
