Howdy, Part of the session creation involves information about the user environment, such as his/her IP address and browser. Someone would have to read the bulleting board and contact the server from the same IP address as the original user before the session expires. But anyways, the session creation code like all of tomcat is open-source, so you can take a look and tell us if you find any vulnerabilities ;)
Yoav Shapira Millennium ChemInformatics >-----Original Message----- >From: Marc Hughes [mailto:[EMAIL PROTECTED] >Sent: Tuesday, January 27, 2004 9:35 AM >To: [EMAIL PROTECTED] >Subject: Tomcat5 and url tracking hijacking > >Does tomcat 5 use some kind of mechanism to prevent session hijacking >when url session tracking is being used? For instance, if someone posts >a url to a website with the tracking info in it, will anyone clicking on >that link pick up the original user's session (assuming it didn't time >out yet)? If it does prevent this, how? > >If anyone knows of any articles about keeping sessions safe, I'd love to >get pointed to those. > >Thanks, >-Marc > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
