Chris, I just had a discussion with Harry Mantheakis concerning the same point. Of course it is always good (and often necessary) to secure the sessionid (with SSL). In the time of "mega-proxies" with more than one IP address comparing IP addresses won't be of much use.
Andreas Mohrig -----Original Message----- From: Christopher Schultz [mailto:[EMAIL PROTECTED] Sent: Thursday, November 13, 2003 2:16 PM To: Tomcat Users List Subject: Re: session security questions? Andreas, >> 1. Where is the session variable stored? server side or client >> cookie? > However, > the sessionid is passed back and forth between the server and the > client, of course. But that should not be a problem, because of the > (pseudo) random and quite complex nature of sessionids it would be > hard to guess someone else's sessionid. Yes, it's hard to guess the id of a session. However, if you were to snoop HTTP traffic and intercepted someone's HTTP header, then you could easily use that session id to hijack someone else's session by submitting the same cookie header to the server. You can try other techniques of preventing this from happening, including comparing IP addresses from requests (see the archives for a discussion of this; including how it doesn't always work!). -chris --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
