-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David,
David Delbecq wrote: | I think this is worth submitting a security issue request on tracker, | to ask that, at least, the container links the requester IP to the | session. I'm pretty sure that nobody will want to do this -- at least not without the ability to turn the feature off. You'll break a lot of users if you require session id <-> ip address matching. | Changing session ID upon login in container would be a good thing | imho, it would ensure ID become unknown to attacker after login, | wouldn't destroy user session (keep session, only change it's | identifier) and would work whatever authentication mechanism is used. | I completely agree. Christopher, I think your valve might be more attractive if it was able to change the id of the session and leave it at that. I'm not familiar enough with the Tomcat API to know if this is possible and/or a good idea. | Draw back is that webapp that rely on session id for some session | tracking mechanism would break. True, although most webapps probably use whatever session id is currently in use. If you did a lot of AJAX where the session id available to the page becomes out-of-date after a login, you will have to make special considerations for that. I think you'll find that this is not much of a problem. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkewsO8ACgkQ9CaO5/Lv0PBWXQCggsMZA1AGkdzSDvBmYeHC2JED iU4An15g6IGrG/yU4mgWokKnVkXdnW0O =eLbx -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]