Jasbinder Singh Bali wrote:
And how should i get rid of session hijacking. Is there any feature is
tomcat that takes care of it?
On 4/4/07, Mikolaj Rydzewski <[EMAIL PROTECTED]> wrote:
Jasbinder Singh Bali wrote:
>> In short, i need to demonstrate session hijacking in apache tomcat
and
>> then show measures that would be
>> taken to get rid of it.
>>
>> Any kind of help would be highly appreciated.
Turn off cookies, Tomcat should then rewrite URLs to include jsessionid.
Then it's trivial to hijack such session.
--
Mikolaj Rydzewski <[EMAIL PROTECTED]>
Your only avenue in avoiding a session hijack is SSL. IP checking is of
limited success and still allows for the man-in-the-middle attack as
well as hijacks from others that log-in behind the same cable router you
are on. If it's important enough that session hijacking is a concern,
it needs to be encrypted.
--David
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]