Hello,
I would like to know if resin 3 is vulnerable to session cookie
hijacking. In the documentation it's written that :
It is conceivable that someone could use a packet sniffer to find
the session id of a user and then make a fake request to Resin
thus gaining access to the session. This can
On Feb 11, 2009, at 9:17 AM, John Livic wrote:
Hello,
I would like to know if resin 3 is vulnerable to session cookie
hijacking. In the documentation it's written that :
It is conceivable that someone could use a packet sniffer to find
the session id of a user and then make a fake request
On Feb 11, 2009, at 8:38 AM, Aaron Freeman wrote:
Scott,
I have finally caught up with understanding where you are going with
the new
Resin IoC -- I am excited to use it. I'd like to do some of the
things on
this doc: http://www.caucho.com/resin/doc/resin-ioc.xtp but I don't
see
Hi all,
I¹m trying to figure out how to send jms messages between different resin
servers.
I was able to get the tutorial here,
http://www.caucho.com/resin/examples/jms-listener/index.xtp, working with no
issues when I¹m sending the message and receiving it on the same instance of
resin. Now I
This is not a Resin issue, all application servers have this issue.
This article presents some practical fixes:
http://shiflett.org/articles/session-hijacking
Note that HTTPS cookie can also be hijacked if it is not implemented properly.
I am not going to delve into details on this topic.
Thanks for your answer, I have read the doc too quicly and now I
understand the per request statement. I did this:
public void service(HttpServletRequest req, HttpServletResponse res)
{
req.setAttribute(caucho.multipart.form.upload-max, new Long
(30) );
This works all right.
Now
Honestly I avoid using sessions like the plague, so I may not be the best
person to answer your question. However, I don't think calling getSession
should cause your file upload to break at all. What happens if the
getSession() returns null though? Maybe you want getSession(true)?
What error
I don't know exactly why because there is no exception on the server
side, but when I call getSession() before req.setAttribute() the upload
limit is not changed and I have an IO error on the flash side (error
2038 from hessian) if the file is too big. If I set the attribute before
