This is not a Resin issue, all application servers have this issue.

This article presents some practical fixes: 
http://shiflett.org/articles/session-hijacking


Note that HTTPS cookie can also be hijacked if it is not implemented properly. 
I am not going to delve into details on this topic.


-----Original Message-----
From: resin-interest-boun...@caucho.com 
[mailto:resin-interest-boun...@caucho.com] On Behalf Of John Livic
Sent: Wednesday, February 11, 2009 9:17 AM
To: resin-interest@caucho.com
Subject: [Resin-interest] Is resin vulnerable to session cookie hijacking?

Hello,

I would like to know if resin 3 is vulnerable to session cookie
hijacking. In the documentation it's written that :

"It is conceivable that someone could use a packet sniffer to find
the session id of a user and then make a fake request to Resin
thus gaining access to the session. This can be avoided by using
HTTPS."

Does that mean that a session id is not tied to an IP address?

For performance reasons I would like to use HTTPS on the login
page only.

Thanks in advance,

John


_______________________________________________
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest


_______________________________________________
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest

Reply via email to