The problem you describe is true of any session tracking system running
over http. The solution is to use https.
However, here's a question to fire back at your security team:
If you are worried about an attacker physically looking at a session ID
on a user's screen, what about if they decide
Thanks a lot for your reply. We'll see if we can persuade our security guys to
drop this issue.
Kind regards,
Alex.
-Original Message-
From: Mark Thomas [mailto:[EMAIL PROTECTED]
Sent: Monday, 18 July 2005 2:50 AM
To: Tomcat Users List
Subject: Re: Tomcat security realms question