You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2003/07/28 13:26:26 UTC
DO NOT REPLY [Bug 10419] -
Session-ID grabbing from Request accepts invalid session cookies in presense of valid URL sessions
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10419>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10419
Session-ID grabbing from Request accepts invalid session cookies in presense of valid URL sessions
------- Additional Comments From tino.schwarze@informatik.tu-chemnitz.de 2003-07-28 11:26 -------
Bug #15555 is related to this. I actually have a use case:
- Admin installs $WEBAPPLICATION
- forgets to disable cookies in Context; $WEBAPPLICATION always encodes
sessions in URL
- users start using $WEBAPPLICATION
- Admin remembers after a week
- lots of users have cookies hanging around in their browsers and cannot log in
any more because there is always a stale JSESSIONID cookie being sent by
the browser and examined by Tomcat
We have been bitten by this bug several times.
Bye, Tino.
PS: Tested with Tomcat 4.1.24
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org