I will use a filter to remove and prevent the jsessionid in the URL. It's indeed really simpler! Thanks for your answer and your suggestions.
Lo 2014-04-18 22:41 GMT+02:00 Christopher Schultz <ch...@christopherschultz.net >: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Lo, > > On 4/17/14, 10:44 AM, Sauvel Laurent wrote: > > 1. Before testing the code below with different Tomcat > > configurations, I would like to know if there is a better way to > > do what I want. I'm not really satisfied with this code that is > > closely related to Tomcat classes. > > You are trying to fetch a value from a Tomcat-specific > configuration... why do you think you can do this in a > non-Tomcat-specific way? > > > 2. The original problem is that I would like to: > > > > a) prevent Tomcat (6.0.x, including versions older than 6.0.30) > > from adding the ";jsessionid=xxx" string to the URL when there is > > no cookie named JSESSIONID in the client browser > > Use a Filter, just like everybody else. This will work in any container. > > > b) prevent jsessionid hijacking via the url, i.e redirect to an > > error page when the "jsessionid=" string is detected in the URL > > You can do this with a Filter, too. No Tomcat-specific code necessary. > > AFAICT, you don't need to sniff/set the disableURLRewriting attribute > value at all. > > Just FYI, preventing "jsessionid hijacking" does not prevent session > hijacking at all. Forging the JSESSIONID cookie is just as easy as > forging a jsessiondi URL path parameter. The difference is that you > can't email a cookie-laden URL to someone. > > The real way to prevent session hijacking is to change the session id > after a login, which is exactly what Tomcat already does for you, so > you shouldn't have to worry about it at all. > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJTUY3dAAoJEBzwKT+lPKRYzgEP/3dXC9Eq0MGpunHdS/iWwbRF > h83Zodu6Q4VMfj9ugvCdch4MtkAMMoLJCX+eFD9BsDmI+Y+Uou1A1ogL36u/5Lxh > QyTt8T7BJIs6ZJK/FemCbzKbNPwAfJXZZ0BqWiG/lSE9ZvmI8Pn/DHHIylZZKEMe > /dTYiNKxEChl7U2qzs/vY5Gh8xzoKnB0JXvVxozVjRgnw9UiWKUlLWy7WvN1YjJF > 4ET0FcMaRIJbiEIxmPMAaHkQSs8ctApU2WMASUS+zqiNnJ9iLMEfyG+ime5PispG > JkmR9EAKk2Y/epKy7BAgBIHpGLiHA0H+knEP7ITJj1kWYvZF5IPO9FwR/TMsKTyl > PhpU80ZF5U8S7du2qAK5K438ms2E/oWTqVAf4yOtsZrIk4C5p5E2ZV4j4anzpwgf > cTiZHTJhIM6TerYDdReEE11DjH14nPmeV/V/OHLHUEUMhblfhH1TsvDnESsZ0YK3 > fq0qIsmHSgy5Nec2jCe+bUKomYruZBkMzoHL0JbqYW9UYRvoFgRWDJLzs3PVIfZi > PKArFozMM7+Ggv8irzNSmnyiT/v6TIo8axmIEYrmJAKWXiIHHuQBMdyJ5ntv66+w > hwm5d/zVn35QVdfGHWMeZG2Cn4z9ch7Gb4zv94M5cJQ9QaIKu5aZPDj9QuJ3RYUM > R8zWdkTyDumXntA7nJdY > =tWIu > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
