-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Allen,
Williams, Allen wrote: > Yeah, I'm already sending some stuff over by URL anyway, but there seems > to be some concern floating around the net regarding session hijacking > if the session ID is readily available. However, although I wouldn't > pretend to be an expert. Session hijacking is no more difficult when using cookies as when using URL-encoded session ids. It's just more obvious that session ids are being passed because you can see them in the request. Any Tomcat server will accept a session id through the URL. I don't think you can turn it off. That means that, even if you had intended to use cookies, a rogue user could send a request with a URL-encoded session id and hijack a session. This is why we use HTTPS when anything important is going on. > Anyway, I took Christopher's advice, and deleted all the cookies, even > restarted my browser (it's been running for several days), and did some > testing. I now have two (2!) JSESSIONID's in my browser, as well as > userid and password cookies, but on the server side, it says no cookies > were sent. Something is definitely wrong. Your browser has two cookies and sends neither of them? > And, I finally found the "Headers" section under "Net" in Firebug. As > near as I can decipher this, all my requests are sending a JSESSIONID > cookie *except* the one for the XMLHttpRequest. Does the "path" of the cookie appear as a prefix of the URL you are trying to access via XMLHttpRequest? If not, the browser is acting appropriately. > Looking at these cookies with the WebDeveloper tools in Firefox, the > difference is that the new one created during the XMLHttpRequest is > associated with a "/" path, the other one (the "real" one) with > "/myAppName" path. Are you using two different webapps or something? > Is is possible the difference in these path associations has something > to do with not finding the session? Absolutely. > I do use a different URL mapping > for this servlet because of a "CheckUser" problem I had way back that > started this whole chain. A different URL mapping or a different context for your web application? - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGU0479CaO5/Lv0PARAlXqAKCkQj3iop4lu04htl6rDTzM8ej5jwCghT7j tMMa3PT644Lnz3zTT61wJZ8= =B2t3 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
