On 10/10/2010 20:59, Brian wrote: > Hi Mark, > > Do you understand exactly what vulnerability are they talking about?
No. It doesn't make much sense to me at the minute. I'd ask for more specific information. > For > some reason, they have determined that I have it, even though I'm not using > Jrun but they wrongly assume I am. Looks like it so far. It all depends how they are detecting the vulnerability. It could be a false positive but there isn't enough information to tell. > What do you mean exactly with "app managing its own authentication"? Sorry > if it is a dumb question. If you use Tomcat's authentication (BASIC, FORM, etc) then Tomcat will change the session ID on authentication and therefore protect against session fixation. If the app has its own authentication mechanism it is possible that the session ID will not be changed on authentication creating the possibility for a session fixation attack. > I found this on Google, and now that I read it I realize they are quoting > you! :-) > http://www.developer.com/java/web/article.php/3904871/Top-7-Features-in-Tomc > at-7-The-New-and-the-Improved.htm > Is this the same subject? Yep, although that is looking at Tomcat 7. The session fixation protection (along with a handle of other things originally developed for Tomcat 7) got back-ported to Tomcat 6. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
