Hi Martin, Thanks for your help. I looked at the two links you provided. But I do not understand how they can solve the problem. I must be missing something. For SSL, the URL still needs to have session id, for example, https://www.xyz.com/returnPage.jsp;jsessionid=188727usdfkjaf-92098js8980?name='Foo' For session id encription that is one-way encription appending a digest code to the URL, the URL also needs to have session id so that Tomcat will know the session id of the requests. https://www.xyz.com/returnPage.jsp;jsessionid=188727usdfkjaf-92098js8980?name='Foo'&digest='abc123' Please give me further help. Thanks, Dave
Martin Gainty <[EMAIL PROTECTED]> wrote: Hi Dave http://www.securityfocus.com/infocus/1774 suggests either implementing with SSL connector http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html -or- Encrypt each sessionid If you dont have the former you'll definitely want to implement the latter.. heres an example http://www.spiration.co.uk/post/1199 Martin-- ----- Original Message ----- From: "Dave" To: "Tomcat Users List" Sent: Tuesday, December 18, 2007 9:09 PM Subject: tomcat session security hole > Hi, I am using URL rewriting for session tracking, ie, session id is on the URL. After I login into a web application, if someone else knows my current session id, he/she can access my account using the session id. It is ok because it is difficult for others to guess my session id. But right now I encounter an issue that will breach the security. > > Our web application is using a 3rd party payment system, when a user clicks pay button, we need to tell the payment system a return URL, a page URL to go after a user finishes with the payment system. The return url needs to have the user's session id so that he/she will not need to login again after returning from the payment system. In this case, the 3rd payment system will know the user's session id, a security hole. > > Is there a solution for this scenario? the same security hole for cookie based session tracking? In our case, we have to use URL rewriting because sometimes a new session is needed when users click some links on pages. > > In my opinion, session id is not sufficient to identify a session, it should have client's ip address for more security. > > Thanks for any ideas. > Dave > > > > > > > --------------------------------- > Looking for last minute shopping deals? Find them fast with Yahoo! Search. --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------- Never miss a thing. Make Yahoo your homepage.
