> >
> > But Tomcat could use the source IP to generate the cookie, so from a
> > different machine it will not work. I can't test right now.
>
>
> No it can't the IP is not one per session,
> it may be many IPs per session (ala AOL), it may be many sessions
> per IP (ala firewall or proxy)
So the session cookie/url parameter,
jsessionid=To1015mC3809102659238063At
must be cryptographically secure, and then you are safe (unless someone is
intercepting your requests, which pretty much dwarfs this sessions stuff,
since he can then just steal your password)
Is the To101... string cryptographically secure?
ps. Please don't steal my session, even if you now have my session id ;)
------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Search: <http://www.mail-archive.com/turbine%40list.working-dogs.com/>
Problems?: [EMAIL PROTECTED]
