DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=22679>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=22679 how to access ssl session ID out of tomcat to prevent session hijacking ------- Additional Comments From [EMAIL PROTECTED] 2004-10-31 08:27 ------- Thanks for the hint, but unfortunately, after tomcat 3.2. SSLSupport.SESSION_ID_KEY appears to be no longer present in coyote. For those web-applications that do not use session cookies because quite some users do not want cookies - how are they supposed to protect against session hijacking? Still, if for example the web application lets paypal's IPN know how to return into an ongoing (url-rewritten) session, one has to trust them not to spoof the remoteAddress? --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]