AFAIK the session id has a random part so you need either quite some luck to guess the number or you have to find a bug in the random generator.
> -----Original Message----- > From: Bill Gorr [mailto:[EMAIL PROTECTED] > Sent: Friday, April 23, 2004 5:35 PM > To: [EMAIL PROTECTED] > Subject: session-id prediction > > > Is there something in Tomcat that stops an adversary from > guessing someone else session-id and preform > a session hijacking? > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
