Any particular reason you're reluctant to go with an SSL-based solution?
Kirk Wylie M7 Corporation
Gurpreet Dhanoa wrote:
Hi Andrew
You are right . I can implement SSL but there must be a solution for this trouble
right???? Thanks
Gary ----- Original Message ----- From: "Andrew Hill" <[EMAIL PROTECTED]> To: "Struts Users Mailing List" <[EMAIL PROTECTED]> Sent: Wednesday, December 03, 2003 3:14 PM Subject: RE: Changing SessionId at every request
> ahhh... ok I think I see what you mean
>
> So by 'hand rolled' sessionId what you mean is some kind of token that
must
> be submitted with each request to verify that it came from the real
client?
> (Rather like the token mechanism used to detect double submissions)
>
> If he is after real security though, I would think using SSL might be a
> safer option - though the performance is lower.
>
>
> -----Original Message-----
> From: Adam Hardy [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, 3 December 2003 17:33
> To: Struts Users Mailing List
> Subject: Re: Changing SessionId at every request
>
>
> I assume that Gurpreet wants to do it for security reasons and it's not
> a bad idea. It certainly means that nobody would be able to share a
> session, and so therefor a session-hijack would become obviously
> immediately.
>
> I think expiring the session is overkill - I would just leave the
> session as it is and use the filter to check and change my own
> hand-rolled session id.
>
> Adam
>
> On 12/03/2003 08:20 AM Navjot Singh wrote:
> > don't know why do you wish to do so?
> > but it an be done. Write a filter. pass every request thru that.
> >
> > 1. Fetch the session, expire it. Server will assign new.
> > 2. Fetch the session, don't expire the session, just append a timestamp
to
> > it. set a cookie and use that to maintain session.
> >
> > HTH
> > navjot singh
> >
> >
> >>-----Original Message-----
> >>From: Gurpreet Dhanoa [mailto:[EMAIL PROTECTED]
> >>Sent: Wednesday, December 03, 2003 11:44 AM
> >>To: Struts Users Mailing List
> >>Subject: Changing SessionId at every request
> >>
> >>
> >>HI,
> >>
> >>IS it possible to change the Session Id generated by the Web
> >>Server at every request for the same client. I wil make it much
> >>more clear.
> >>
> >>Say i have a Servlet running on Tomcat. what i want is when ever
> >>any User lets assume USER A ask for a request i want to change the
> >>sessionId server variable which has been gerenrated by the Web
> >>Server to uniquely identify the client.
> >>
> >>Purpose behind doing this is to make every request safe.
> >>
> >>
> >>Any suggections will be higly appreciated.
> >>
> >>
> >>Thanks in Advance
> >>Gary
> >>
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
>
>
> --
> struts 1.1 + tomcat 5.0.14 + java 1.4.2
> Linux 2.4.20 RH9
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
