Re: Can a client recapture a session in Tomcat 4.1
Yes. You only have to sent the right cookie header to the server. And if the browser exits the right header info is lost. So, if you create a browser which doesn't loose cookie info, you are done. This has nothing to do with which server you are running. For php, asp or anything else it works the same. Ronald. On Thu May 12 16:57:29 CEST 2005 Tomcat Users List tomcat-user@jakarta.apache.org wrote: Can a client recapture his Tomcat session after he has accidentally closed the browser, provided that the session object still exists on the server? Would this be a browser-specific thing? After all, I guess I'd need to tell the browser to persist the session cookie or some such thing. Or would it work browser-independently using URL-rewriting? If there is such a mechanism, does it pose any security concerns (e. g. through Tomcat reusing a session-id for a totally different session?) We're on Tomcat 4.1. Would the answer be any different for Tomcat 5.0? Thanks for any enlightenment or additional pointers-. -- Sebastian -- Sebastian Millies, IDS Scheer AG Postfach 10 15 34, 66015 Saarbr?cken Zi D1.16, [EMAIL PROTECTED] fon +49-681-210-3221, fax +49-681-210-1311 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Can a client recapture a session in Tomcat 4.1
Can a client recapture his Tomcat session after he has accidentally closed the browser, provided that the session object still exists on the server? Would this be a browser-specific thing? After all, I guess I'd need to tell the browser to persist the session cookie or some such thing. Or would it work browser-independently using URL-rewriting? If there is such a mechanism, does it pose any security concerns (e. g. through Tomcat reusing a session-id for a totally different session?) We're on Tomcat 4.1. Would the answer be any different for Tomcat 5.0? Thanks for any enlightenment or additional pointers-. -- Sebastian -- Sebastian Millies, IDS Scheer AG Postfach 10 15 34, 66015 Saarbrücken Zi D1.16, [EMAIL PROTECTED] fon +49-681-210-3221, fax +49-681-210-1311 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Can a client recapture a session in Tomcat 4.1
I am not sure if this can be done... I guess you could build framework where the user's session id and ip is logged (unless they logout) and then when the user comes back you could use the old session. I have never tried this but this personally but I dont see why it should not work. Arup -Original Message- From: Millies, Sebastian [mailto:[EMAIL PROTECTED] Sent: 12 May 2005 15:57 To: tomcat-user@jakarta.apache.org Subject: Can a client recapture a session in Tomcat 4.1 Can a client recapture his Tomcat session after he has accidentally closed the browser, provided that the session object still exists on the server? Would this be a browser-specific thing? After all, I guess I'd need to tell the browser to persist the session cookie or some such thing. Or would it work browser-independently using URL-rewriting? If there is such a mechanism, does it pose any security concerns (e. g. through Tomcat reusing a session-id for a totally different session?) We're on Tomcat 4.1. Would the answer be any different for Tomcat 5.0? Thanks for any enlightenment or additional pointers-. -- Sebastian -- Sebastian Millies, IDS Scheer AG Postfach 10 15 34, 66015 Saarbrücken Zi D1.16, [EMAIL PROTECTED] fon +49-681-210-3221, fax +49-681-210-1311 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Can a client recapture a session in Tomcat 4.1
Hi Sebastian, Am Donnerstag, 12. Mai 2005 16:57 schrieb Millies, Sebastian: Can a client recapture his Tomcat session after he has accidentally closed the browser, provided that the session object still exists on the server? Would this be a browser-specific thing? After all, I guess I'd need to tell the browser to persist the session cookie or some such thing. Or would it work browser-independently using URL-rewriting? If there is such a mechanism, does it pose any security concerns (e. g. through Tomcat reusing a session-id for a totally different session?) We're on Tomcat 4.1. Would the answer be any different for Tomcat 5.0? Thanks for any enlightenment or additional pointers-. From my point of view, you are already asking the right questions. Firstly, if you would always maintain the session by using cookies and never by transporting the session id with the url, if you would furthermore set a persistent session cookie which would not be destroyed when the browser would be closed, and if last but not least the user would have made his browser settings accordingly - not deleting cookies when closing the browser -, then it would be possible to re-capture the Tomcat session as long as it would exist on the server. As you can see, there are a lot if's. Secondly, it would be a severe security hole in your application if you would set persistent session cookies. From the security point of view, the session cookie has to be destroyed when the browser is closed. Imagine, a user does close the browser intentionally and not accidentally, and the next user can re-capture, rather hijack, his session just because the session cookie is persistent. Draw the conclusion yourself, but a persistent session cookie to comfort the user when closing the browser accidentally results in a security hole which I would not allow in my web application. It cannot be in the interest of the user concerned that you cannot guarantee the privacy of his data after the browser has been closed due to persistent session cookies. Best wishes Lutz - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Can a client recapture a session in Tomcat 4.1
Using IP sounds a bit scary as a lookup - think of all the users with equivalent IP addresses (because of NATing routers/firewalls, etc.). Plus it would be a strikes me it would be a nightmare to test... But, if instead you wanted to have a session that wasn't linked to tomcat's notion of a session, you could (maybe) build a separate Session management that was stored in a regular (non-session) cookie -- it would then persist across sessions in the same browser... Tim Arup Vidyerthy wrote: I am not sure if this can be done... I guess you could build framework where the user's session id and ip is logged (unless they logout) and then when the user comes back you could use the old session. I have never tried this but this personally but I dont see why it should not work. Arup -Original Message- From: Millies, Sebastian [mailto:[EMAIL PROTECTED] Sent: 12 May 2005 15:57 To: tomcat-user@jakarta.apache.org Subject: Can a client recapture a session in Tomcat 4.1 Can a client recapture his Tomcat session after he has accidentally closed the browser, provided that the session object still exists on the server? Would this be a browser-specific thing? After all, I guess I'd need to tell the browser to persist the session cookie or some such thing. Or would it work browser-independently using URL-rewriting? If there is such a mechanism, does it pose any security concerns (e. g. through Tomcat reusing a session-id for a totally different session?) We're on Tomcat 4.1. Would the answer be any different for Tomcat 5.0? Thanks for any enlightenment or additional pointers-. -- Sebastian -- Sebastian Millies, IDS Scheer AG Postfach 10 15 34, 66015 Saarbrcken Zi D1.16, [EMAIL PROTECTED] fon +49-681-210-3221, fax +49-681-210-1311 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Can a client recapture a session in Tomcat 4.1
I agree, actually once I posted it I thought the same thing. What I suggested is not particularly useful but I have seen it done :-( I guess, in the end this whole session persistence is just a bad idea. Arup -Original Message- From: Tim Diggins [mailto:[EMAIL PROTECTED] Sent: 12 May 2005 16:21 To: Tomcat Users List Subject: Re: Can a client recapture a session in Tomcat 4.1 Using IP sounds a bit scary as a lookup - think of all the users with equivalent IP addresses (because of NATing routers/firewalls, etc.). Plus it would be a strikes me it would be a nightmare to test... But, if instead you wanted to have a session that wasn't linked to tomcat's notion of a session, you could (maybe) build a separate Session management that was stored in a regular (non-session) cookie -- it would then persist across sessions in the same browser... Tim Arup Vidyerthy wrote: I am not sure if this can be done... I guess you could build framework where the user's session id and ip is logged (unless they logout) and then when the user comes back you could use the old session. I have never tried this but this personally but I dont see why it should not work. Arup -Original Message- From: Millies, Sebastian [mailto:[EMAIL PROTECTED] Sent: 12 May 2005 15:57 To: tomcat-user@jakarta.apache.org Subject: Can a client recapture a session in Tomcat 4.1 Can a client recapture his Tomcat session after he has accidentally closed the browser, provided that the session object still exists on the server? Would this be a browser-specific thing? After all, I guess I'd need to tell the browser to persist the session cookie or some such thing. Or would it work browser-independently using URL-rewriting? If there is such a mechanism, does it pose any security concerns (e. g. through Tomcat reusing a session-id for a totally different session?) We're on Tomcat 4.1. Would the answer be any different for Tomcat 5.0? Thanks for any enlightenment or additional pointers-. -- Sebastian -- Sebastian Millies, IDS Scheer AG Postfach 10 15 34, 66015 Saarbrücken Zi D1.16, [EMAIL PROTECTED] fon +49-681-210-3221, fax +49-681-210-1311 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Can a client recapture a session in Tomcat 4.1
Hi Tim, Am Donnerstag, 12. Mai 2005 17:20 schrieb Tim Diggins: Using IP sounds a bit scary as a lookup - think of all the users with equivalent IP addresses (because of NATing routers/firewalls, etc.). Plus it would be a strikes me it would be a nightmare to test... But, if instead you wanted to have a session that wasn't linked to tomcat's notion of a session, you could (maybe) build a separate Session management that was stored in a regular (non-session) cookie -- it would then persist across sessions in the same browser... But how do you validate that it is still the right person in front of the pc / monitor? ;-) Persistent session cookies are simply an inacceptable security breach if more than one person can have access to the pc. Best wishes Lutz - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Can a client recapture a session in Tomcat 4.1
From: Millies, Sebastian [mailto:[EMAIL PROTECTED] Sent: 12 May 2005 15:57 Can a client recapture his Tomcat session after he has accidentally closed the browser, provided that the session object still exists on the server? If the client authenticates to your server (i.e. they log in), then you can use their login credentials as a key for session data. The downside is that you'll have to basically build your own session manager to facilitate this. (To handle expiration, inactivation, etc. if you want those features). However, there's no reason you can't leverage the built in session listeners to help implement this. For example, you can do some crude reference counting and when a user logs in, you register their session with your login-ID based session manager. Then, when the session expires (and calls the listener), it can check to see if any other sessions are registered, and if not, then it can safely kill the login-ID based session. This gives you the time out capability fairly cheaply. You don't get serialization and such though, nor clustering, but if you're not using those features, you don't care. Actually, as an aside, this would be a bit nasty, but you may be able to tweak the Tomcat session code to instead of using a temporary, browser based JSESSIONID cookie, make it permanent (but still expire in, say, an hour -- whatever timeout is suitable). This cookie would survive browser restarts (for good and ill). Other folks have mentioned the potential ramifications of that, but by doing it this way, it's possible. Just hope they don't use this in a public library. This basically redefines how sessions work for YOUR Tomcat, but it doesn't sound like an arduous change, and you get all of the other Tomcat session infrastructure for free. Your webapp won't be portable if you really on this though, since you have to change Tomcat itself to make it work. Regards, Will Hartung ([EMAIL PROTECTED]) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]