Re: [VOTE] Proposed API change to the Manager interface

Tim Funk Mon, 07 Feb 2005 08:18:42 -0800

If I read this correctly (big if), the solution could be a security problem. If I were a phisher, I might be able to send you an email with a link to that would redirect you to a tomcat server with the new configuration in question with a special id. If the user were to perform other actions of a confidential nature, the attacker could swoop in and impersonate that session.

The phisher could easily be notified that the special session id was used and have a farm of wamr bodies ready to attack.

-Tim

Remy Maucherat wrote:

To address this, I propose simply reusing any session id presented by the client. As an option, this could be done only if emptySessionPath is true. I have tested it, and it works very well, addressing the problem with emptySessionPath="true". I could not think of any security issue this would cause (if the client submits a bogus insecure id, then he'll be the one being impacted), since the undelying session objects would be created and handled as usual. In "normal" more (emptySessionPath set to false), this would save costly session id generation.

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [VOTE] Proposed API change to the Manager interface

Reply via email to