You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by curunir <sp...@synth.org> on 2007/12/12 07:33:49 UTC
Re: Turning off jsessionid
Since you were curious why someone would want to disable URL rewriting, I can
tell you why we had to do this.
For our client, it was taken for a given that users would be frequently
copying/pasting URLs in emails and IMs to other users. It's not a necessary
part of our application, but we all know the vast majority of computer users
are basically clueless when it comes to security and simply won't consider
the security implications of their actions. If you enable URL rewriting, it
makes it possible for someone visiting a URL sent to them in an email/IM to
be logged in as the user who was originally passed the URL. Additionally,
the users of the application frequently take screenshots when submitting
bugs and those screenshots would, in many cases, also include the session
id.
In our application, where real money is at stake, this kind of risk is
unacceptable. I'd go as far as to say that URL rewriting is fundamentally
insecure for this reason and should be turned off whenever it's possible
that URLs would be exposed in either of these two manners (provided your
application requires a decent level of security).
Christopher Schultz-2 wrote:
>
> ...
>
> I'm not sure why you'd ever want to do this, though. I'd love to hear
> your reason for doing it, though.
>
> ...
>
--
View this message in context: http://www.nabble.com/Turning-off-jsessionid-tp13430750p14289776.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Turning off jsessionid
Posted by Peter Stavrinides <p....@albourne.com>.
Actually this is not so uncommon, an there are many 'good' reasons to do
so, see:
http://randomcoder.com/articles/jsessionid-considered-harmful
Here is an example of a filter that takes care of this:
http://randomcoder.com/repos/public/randomcoder-website/tags/1.0.3/WEB-INF/src/com/randomcoder/security/DisableUrlSessionFilter.java
Best wishes,
Peter
curunir wrote:
> Since you were curious why someone would want to disable URL rewriting, I can
> tell you why we had to do this.
>
> For our client, it was taken for a given that users would be frequently
> copying/pasting URLs in emails and IMs to other users. It's not a necessary
> part of our application, but we all know the vast majority of computer users
> are basically clueless when it comes to security and simply won't consider
> the security implications of their actions. If you enable URL rewriting, it
> makes it possible for someone visiting a URL sent to them in an email/IM to
> be logged in as the user who was originally passed the URL. Additionally,
> the users of the application frequently take screenshots when submitting
> bugs and those screenshots would, in many cases, also include the session
> id.
>
> In our application, where real money is at stake, this kind of risk is
> unacceptable. I'd go as far as to say that URL rewriting is fundamentally
> insecure for this reason and should be turned off whenever it's possible
> that URLs would be exposed in either of these two manners (provided your
> application requires a decent level of security).
>
>
>
> Christopher Schultz-2 wrote:
>
>> ...
>>
>> I'm not sure why you'd ever want to do this, though. I'd love to hear
>> your reason for doing it, though.
>>
>> ...
>>
>>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org