> From: Pieter Temmerman [mailto:ptemmerman....@sadiel.es] > However, as the jsessionid URL rewriting is defined in the servlet > specification, I would expect this to be secure.
Why, out of interest? > Therefor I was wondering whether the hijacking is caused by a > misconfiguration of Tomcat, my webapp or rather completely normal. It's completely normal. Other frameworks have exactly the same features. Some form of magic number maps to a session; match the magic number and you match the session. Sometimes there's a different magic number to match a login, but that's just a different magic number that can be hijacked too. If you don't want eavesdroppers to be able to pick up your sessions, use SSL. If you don't want session IDs to appear in your URLs so that your users don't cut+paste them or save them in favourites, use cookies. But be assured that if someone can read the request your browser sends to the server, they can hijack your session. - Peter --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org