This is not a Resin issue, all application servers have this issue.

This article presents some practical fixes:

Note that HTTPS cookie can also be hijacked if it is not implemented properly. 
I am not going to delve into details on this topic.

-----Original Message-----
[] On Behalf Of John Livic
Sent: Wednesday, February 11, 2009 9:17 AM
Subject: [Resin-interest] Is resin vulnerable to session cookie hijacking?


I would like to know if resin 3 is vulnerable to session cookie
hijacking. In the documentation it's written that :

"It is conceivable that someone could use a packet sniffer to find
the session id of a user and then make a fake request to Resin
thus gaining access to the session. This can be avoided by using

Does that mean that a session id is not tied to an IP address?

For performance reasons I would like to use HTTPS on the login
page only.

Thanks in advance,


resin-interest mailing list

resin-interest mailing list

Reply via email to