An easy workaround is to save the client IP-address in the session, and look each page if this IP-address is the address the client has. It's not waterproof, but it makes it far more difficult (ensure that a good router is available)
Sjoerd van Leent -----Original Message----- From: Richard Dunn [mailto:[EMAIL PROTECTED] Sent: zondag 17 augustus 2003 21:02 To: Tomcat Users List Subject: Re: Session Security On Sunday 17 August 2003 12:44, Todd O'Bryan wrote: > Is there any block against someone stealing someone else's session id > and using it for nefarious purposes? In other words, if I write a grade > book program, could a sharp student write down the session id from a > web address (if cookies are off) or look in the teacher's cookie file, > and then go to a computer in the library and use the same session id to > connect to the grade book page before the teacher logs out? > > Does the session id check itself against the issuing computer's IP > address or anything to prevent such a thing from happening? I realize > it's a stretch that someone might leave their computer unattended long > enough for such a thing to happen, but I just want to be sure. Also, > could someone listening in to the net traffic grab the session id and > then use it? > > Thanks, > Todd I am not a security expert, but if someone with my limited knowledge on security can use a tool like tcpdump and do some of what your saying (and I have), a nefarious type whose primary interest is doing this type of thing certainly can. The number of possible exploits are endless, but for a start I would suggest using SSL to encrypt the login info and data going over the wire. There are things you can do programatically to check for the computer's IP, but this can also be spoofed by someone with even a little knowledge. I would recommend getting a good book on security. There are things you can do at the system admin level to decrease the chance of a security breach, but you also have to put the right stuff in your programs. Holes on either one can negate the other. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
