> From: Pieter Temmerman [mailto:ptemmerman....@sadiel.es]
> However, as the jsessionid URL rewriting is defined in the servlet
> specification, I would expect this to be secure.
Why, out of interest?
> Therefor I was wondering whether the hijacking is caused by a
> misconfiguration of Tomcat, my webapp or rather completely normal.
It's completely normal. Other frameworks have exactly the same features. Some
form of magic number maps to a session; match the magic number and you match
the session. Sometimes there's a different magic number to match a login, but
that's just a different magic number that can be hijacked too.
If you don't want eavesdroppers to be able to pick up your sessions, use SSL.
If you don't want session IDs to appear in your URLs so that your users don't
cut+paste them or save them in favourites, use cookies. But be assured that if
someone can read the request your browser sends to the server, they can hijack
your session.
- Peter
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
