Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.java.programmer > #18623

jsessionId (was: Re: Problem with tomcat 6.0.32)

From Andreas Leitgeb <avl@gamma.logic.tuwien.ac.at>
Newsgroups comp.lang.java.programmer
Subject jsessionId (was: Re: Problem with tomcat 6.0.32)
Date 2012-09-09 09:35 +0000
Organization A noiseless patient Spider
Message-ID <slrnk4oon8.u9l.avl@gamma.logic.tuwien.ac.at> (permalink)
References (2 earlier) <504bffef$0$291$14726298@news.sunsite.dk> <k2h221$qpn$2@dont-email.me> <504c0c21$0$295$14726298@news.sunsite.dk> <k2h2s0$ucb$2@dont-email.me> <504c1262$0$284$14726298@news.sunsite.dk>

Show all headers | View raw

Arne Vajhøj <arne@vajhoej.dk> wrote:
>>>>> action="<%=response.encodeURL("CheckLogin")%>"
>>>>> to work with cookies disabled.
> I suspect that even some having done JSP's recently may have forgotten.

I know of a case, where the encodeURL was actually removed.

Some security-guys barfed on the session-id in the url-string.
They called it unsafe, for allowing easy session-takeover.  (not
sure about the exact attack-vector they actually had in mind.)

Is that still an issue?  Probably, the "secure" way is to
pass the sessionId as a plain parameter in an https-POST
request, or as a cookie in any of https-GET or https-POST.

What's current state of the art?

Does it matter for plain http, whether the jsessionId is
in the URL or in the still unencrypted other data? Surely
not for network-sniffers, but maybe it makes a difference
for simpler attacks?

Back to comp.lang.java.programmer | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

Problem with tomcat 6.0.32 ruds <rudranee@gmail.com> - 2012-09-04 23:50 -0700
  Re: Problem with tomcat 6.0.32 markspace <-@.> - 2012-09-05 09:03 -0700
    Re: Problem with tomcat 6.0.32 ruds <rudranee@gmail.com> - 2012-09-05 20:36 -0700
      Re: Problem with tomcat 6.0.32 markspace <-@.> - 2012-09-05 22:27 -0700
  Re: Problem with tomcat 6.0.32 Fredrik Jonson <fredrik@jonson.org> - 2012-09-06 04:36 +0000
    Re: Problem with tomcat 6.0.32 Arne Vajhøj <arne@vajhoej.dk> - 2012-09-08 22:33 -0400
      Re: Problem with tomcat 6.0.32 markspace <-@.> - 2012-09-08 20:22 -0700
        Re: Problem with tomcat 6.0.32 Arne Vajhøj <arne@vajhoej.dk> - 2012-09-08 23:25 -0400
          Re: Problem with tomcat 6.0.32 Arne Vajhøj <arne@vajhoej.dk> - 2012-09-08 23:30 -0400
          Re: Problem with tomcat 6.0.32 markspace <-@.> - 2012-09-08 20:36 -0700
            Re: Problem with tomcat 6.0.32 Arne Vajhøj <arne@vajhoej.dk> - 2012-09-08 23:51 -0400
              jsessionId (was: Re: Problem with tomcat 6.0.32) Andreas Leitgeb <avl@gamma.logic.tuwien.ac.at> - 2012-09-09 09:35 +0000
                Re: jsessionId Arne Vajhøj <arne@vajhoej.dk> - 2012-09-09 09:39 -0400

csiph-web