On Mon, 18 Oct 2010 08:47:05 -0200, Mike Oestereter
<mike.oestere...@gmail.com> wrote:
Hi
Hi!
How can I change the value of the JSESSIONID cookie after
succcessfull login - failure to do this will result in a session
hijacking vulnerability.
The session cookie is created and removed by the servlet container
(server), not by Tapestry itself. Have you tried grabbing the Session
object and invalidating it directly?
Could you post us something about the vulnerability? I'm curious to read
about it. :)
In tapestry 5.0 the value of the cookie (somewhat magically and
unexpectedly) changed when a new instance of my SessionState object
was created: e.g.
Are you sure? This doesn't make a lot of sense. As you can have more than
one session state object, changing the session id would be the same as
invalidating the session. This would be a serious bug.
--
Thiago H. de Paula Figueiredo
Independent Java, Apache Tapestry 5 and Hibernate consultant, developer,
and instructor
Owner, Ars Machina Tecnologia da Informação Ltda.
http://www.arsmachina.com.br
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org
