> From: Jasbinder Singh Bali [mailto:[EMAIL PROTECTED]
> And how should i get rid of session hijacking. Is there any feature is
> tomcat that takes care of it?
I shouldn't do your work for you, but... just hope your supervisor
doesn't read tomcat-users :-).
Demonstrate: the simplest approach is to use a network sniffer on the
HTTP stream to get the session cookie, then fake that cookie in another
request to the server. cURL will quite happily pass up faked cookie
files.
Fix: Use https and *never* pass sessions between cleartext and encrypted
sessions, despite it being a common requirement on this list. Won't get
round all possible attacks if you can gain access to the user's
machine*, but it defeats eavesdropping unless the eavesdropper can break
your SSL key - and if they can do that routinely, the world has *much*
worse problems.
- Peter
* Keyloggers, browser "helper" objects/plug-ins, XSS attacks if the user
is running an older browser or an exploit can be found in a newer one...
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
