Isn't there any feature in tomcat itself that would automatically take care of session hijacking without doing something at web application level. something like the way BadInputFilering valve in Tomcat tries to escape certain string patterns from the GET and POST parameter names and values so that most XSS exploits fail to work, without modifying or disabling the web applications.
On 4/4/07, Mikolaj Rydzewski <[EMAIL PROTECTED]> wrote:
Jasbinder Singh Bali wrote: > And how should i get rid of session hijacking. Is there any feature is > tomcat that takes care of it? Figure it out yourself, it's not so hard ;-) I.e. you can store client's IP address in a session, and compare it with every request. If they don't match, then session is probably hijacked. That's the easiest solution, which will break some clients. -- Mikolaj Rydzewski <[EMAIL PROTECTED]>