> From: Mikolaj Rydzewski [mailto:[EMAIL PROTECTED] > Jasbinder Singh Bali wrote: > > And how should i get rid of session hijacking. Is there any > feature is > > tomcat that takes care of it? > Figure it out yourself, it's not so hard ;-) > > I.e. you can store client's IP address in a session, and > compare it with > every request. If they don't match, then session is probably > hijacked. > That's the easiest solution, which will break some clients.
Yes. It's possible to get round that if you can inject packets onto the network, but it's getting harder to do so unless you can compromise one end of the network or the other - more routers and ISPs are dropping packets with faked source IPs, and more servers are implementing well-randomised TCP sequence numbers so that you can't fake a TCP connection "blind". However, packet injection is generally relatively simple if you can get hold of a machine on the same local network as the target user or the target server - and if you're able to sniff traffic, there's a good chance you already have this. - Peter --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]