> > However, as the jsessionid URL rewriting is defined in the servlet > > specification, I would expect this to be secure. > > Why, out of interest? I don't know. It just seemed way to easy to hijack a session, so I supposed it must be secure.
> It's completely normal. Other frameworks have exactly the same features. > Some form of magic number maps to a session; match the magic number and you > match the session. Sometimes there's a different magic number to match a > login, but that's just a different magic number that can be hijacked too. > > If you don't want eavesdroppers to be able to pick up your sessions, use SSL. > If you don't want session IDs to appear in your URLs so that your users > don't cut+paste them or save them in favourites, use cookies. But be assured > that if someone can read the request your browser sends to the server, they > can hijack your session. > In my case cookies are created as well. By SSL, I suppose you mean client authentication with a certificate? --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org