This is not a Resin issue, all application servers have this issue. This article presents some practical fixes: http://shiflett.org/articles/session-hijacking
Note that HTTPS cookie can also be hijacked if it is not implemented properly. I am not going to delve into details on this topic. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of John Livic Sent: Wednesday, February 11, 2009 9:17 AM To: [email protected] Subject: [Resin-interest] Is resin vulnerable to session cookie hijacking? Hello, I would like to know if resin 3 is vulnerable to session cookie hijacking. In the documentation it's written that : "It is conceivable that someone could use a packet sniffer to find the session id of a user and then make a fake request to Resin thus gaining access to the session. This can be avoided by using HTTPS." Does that mean that a session id is not tied to an IP address? For performance reasons I would like to use HTTPS on the login page only. Thanks in advance, John _______________________________________________ resin-interest mailing list [email protected] http://maillist.caucho.com/mailman/listinfo/resin-interest _______________________________________________ resin-interest mailing list [email protected] http://maillist.caucho.com/mailman/listinfo/resin-interest
