Le lundi 2 novembre 2009 12:09:43, Willy Tarreau a écrit :
> > * it adds a verification on the '=' char :
> > currently (with appsession JSESSIONID for example), an URL like
> > http:///path;jsessionidfake=0123... matches the session id
> > "ake=0123..."
> > => with the patch, jsessionidfake won'
Hi Cyril,
On Sun, Nov 01, 2009 at 12:19:05AM +0100, Cyril Bonté wrote:
> Hello Willy and Aleksandar,
> If you agree, I would like to apply this new patch to add some more integrity
> checking on appsession.
>
> * the session value (provided by the URL or by the request/response cookie)
> is now
2 matches
Mail list logo