https://issues.apache.org/bugzilla/show_bug.cgi?id=49811
--- Comment #5 from Christopher Schultz <ch...@christopherschultz.net> 2010-08-27 09:47:16 EDT --- (In reply to comment #4) > > You should probably also change the URL-parsing code that accepts jsessionid > > parameters and have it ignore URL-supplied jsessionids, otherwise you aren't > > really preventing session hijacking... you're just limiting the damage > > stupidity can cause. > > Okay thats fair enough but I thought that I had :( > > Specifically I thought the changes to CoyoteAdapter.java covered this. Oops, I think I must have missed that. I haven't reviewed the other code in those classes -- just your patch file. If you've found all the places where "session" and/or "id" (or even ";") exist in those files, then you should be good. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
