There is not much tomcat can do about it. The too simple solution is to stick the session to the ip. But that doesn't work well. - There are several users that can have different ip's in the same session (dial in connection, dsl) - on the other side there are several users that use the same IP to access the server (they sit behind corporate or even worse isp proxies).
If you want safe sessions you have to use https. > -----Original Message----- > From: Marc Hughes [mailto:[EMAIL PROTECTED] > Sent: Tuesday, January 27, 2004 3:35 PM > To: [EMAIL PROTECTED] > Subject: Tomcat5 and url tracking hijacking > > Does tomcat 5 use some kind of mechanism to prevent session hijacking > when url session tracking is being used? For instance, if > someone posts > a url to a website with the tracking info in it, will anyone > clicking on that link pick up the original user's session (assuming it > didn't time out yet)? If it does prevent this, how? > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
