Hi list,
I was just trying out something today and I would like to get your input on
this.
As you know, the servlet spec allows developers to support users who don't
allow cookies by using the encodeURL method. This is supposed to determine
if cookies are allowed and if not, put the sessionId in the actual URL so
that sessions can still be properly maintained.
So, let's say that I have this URL on a page:
<a href="<%=response.encodeURL("test.jsp")%>">page</a>
I open netscape, go to the page with the link and don't accept the session
cookie that jrun tries to give me. As a result the link becomes something
similar to this:
http://localhost/test/test.jsp?jsessionid=217739977932893022
with the sessionId as part of the URL. So far, ok.
Now my question: does anybody know how jrun comes up with these sessionId's?
What's the probability that a user could mess around with such a URL and
suddenly take over somebody else's session?
And also, if cookies are on, jrun uses session cookies to keep control of
its sessions. These cookies are in-memory cookies on the browser, are not
written to disk and go away when the browser is closed. Does anybody know
of a way that a user could access these in-memory cookies on his browser and
modify their values?
Thanks for your input.
Cristian
~~~~~~~~~~~~~ Paid Sponsorship ~~~~~~~~~~~~~
Get Your Own Dedicated Win2K Server! Instant Activation for $99/month w/Free Setup
from SoloServer PIII600 / 128 MB RAM / 20 GB HD / 24/7/365 Tech Support Visit
SoloServer, https://secure.irides.com/clientsetup.cfm.
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
