In this case the chances are relatively high - imagine a company using a
proxy to connect to the Internet. The client IP does not change, a someone
in the company sniffing can easily hijack sessions from his/her colleagues.
Tomas
"Long"
<[EMAIL PROTECTED]
om> To
"Tomcat Users List"
10.08.2006 18:30 <users@tomcat.apache.org>
cc
Please respond to Subject
"Tomcat Users Re: Session hijacking with
List" Tomcat/Myfaces - unable to fix it
<[EMAIL PROTECTED]
che.org>
I wonder if associating (and checking) the request IP with the session
would reduce the problem to some acceptable level. What is
the chance of a session being hijacked from the same network (face-ip)?
Another question is can the original request IP be spoofed?
Long
----- Original Message -----
From: "Tomas Hulek" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Thursday, August 10, 2006 12:06 PM
Subject: Re: Session hijacking with Tomcat/Myfaces - unable to fix it
>
> We have tried it, but the internal session attributes where Tomcat stores
> the original request are hidden to application, and are certainly not
> accessible to javax.servlet.* API (and we do try to write PORTABLE
> application, relying on the specification and not on the internals of one
> particular servlet engine).
>
> Commenting on other suggestions
>
> 1) SSL for the whole application is not practical, there are many users
who
> only use the public pages and never log in.
>
> 2) We have implemented one workaround in the login-form
> if the session was not generated under SSL do the following:
> - invalidate session
> - create new session and mark it as safe (generated under SSL)
> - do an external redirect to a fixed, non-public page
>
> The last step will start the whole login process again, this time with a
> safe session ID.
>
>
> I am still not happy with it. A very enhancement in Tomcat would do:
> generate new session ID after switch to HTTPS, based eg. on the SSL
session
> ID (to get a new, unique ID).
>
> Tomas
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
