I wonder if associating (and checking) the request IP with the
session would reduce the problem to some acceptable level. What is
the chance of a session being hijacked from the same network
(face-ip)?
Another question is can the original request IP be spoofed?
In this case the chances are relatively high - imagine a company
using a proxy to connect to the Internet. The client IP does not
change, a someone in the company sniffing can easily hijack sessions
from his/her colleagues.
Checking the request IP to ensure that it matches the session is a
good idea, though it doesn't stop all attacks.
If you were to do that, you could also easily add a session attribute
indicating whether the session was created under http or https and
invalidate/create a new session if a http session is attempted to be
used under https.
Besides that, as others suggested, the best thing to do is to simply
put everything under SSL.
-Dave
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
