s hoping for a way to do this for all webapps
> and all servlets via configuration. Thoughts?
>
> Thanks in advance for any help.
>
> -
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: [EMAIL PROTECTED]
>
Or, you could write a filter that checks request.isRequestedSessionIdFromURL()
and invalidates the session if it is. btw, if there is a cookie set, that
overrides anything provided in the url.
eric
This is what I ended up doing. Thanks.
-
On Thu, Sep 07, 2006 at 06:33:41PM -0400, Chetan Sabnis wrote:
> Is there a way to disable the Tomcat server (5.5) from accepting
> sessions that are sent in the URL using jsessionid? This would be
> useful in preventing certain session fixation attacks. Basically, I
> would want sessions to be a
Thanks. While I am using Apache httpd in most cases, the webapp can
be run in IIS if someone chooses to deploy it that way (connected via
mod_jk). It certainly seems like this is something that should be
controllable from the Tomcat side of things. Any other suggestions?
Thanks,
Chetan
On 9/8
If you're using apache httpd as a front end you can
handle this with a rewrite rule:
RewriteRule (.*);jsessionid.* $1
I do this for a different reason - when my users go to
the top level url they are redirected to a login page
that includes the jsessionid in the new url. They
then bookmark the p
Is there a way to disable the Tomcat server (5.5) from accepting
sessions that are sent in the URL using jsessionid? This would be
useful in preventing certain session fixation attacks. Basically, I
would want sessions to be accepted only if they are sent using a
cookie.
Specifically, I am conc