Diethelm Guallar, Gonzalo wrote:
> This may show my ignorance; here it goes...
>
> When a user visits a Turbine app, Turbine
> creates a session for the user, and sends
> the user an opaque identifier for the session
> (in the shape of a cookie or a URL parameter).
> Say it is a URL parameter, for simplicity.
> How easy would it be for another user on a
> separate machine to just copy the whole URL
> and, to a certain extent, "hijack" the session?
> What information is associated with this
> identifier within Turbine to ensure that the
> client that originally authenticated is
> the one who keeps sending requests for the
> session?
>
> Please correct any misunderstandings that I
> may have about how Turbine operates. Thanks,
This is Tomcatland (or Catalinaland, if you prefer). It is the servlet
container the one in charge of establishing and maintaining sessions.
Just some tests with tomcat 3.2.2-dev, cookies disabled, mozilla 0.8:
Start a Jetspeed session, login as admin (at localhost:8080).
In the same machine, point a different window to
<hostname>/jetspeed/;jsessionid=... (copying it).
Voilà, I'm admin in two windows.
But Tomcat could use the source IP to generate the cookie, so from a
different machine it will not work. I can't test right now.
------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Search: <http://www.mail-archive.com/turbine%40list.working-dogs.com/>
Problems?: [EMAIL PROTECTED]
