[OT] RE: Session Hijacking with Apache Tomcat

[Peter Crowther <Pe...@melandra.com>]

> From: Mikolaj Rydzewski [mailto:miki@ceti.pl] 
> Jasbinder Singh Bali wrote:
> > And how should i get rid of session hijacking. Is there any 
> feature is
> > tomcat that takes care of it?
> Figure it out yourself, it's not so hard ;-)
> 
> I.e. you can store client's IP address in a session, and 
> compare it with 
> every request. If they don't match, then session is probably 
> hijacked. 
> That's the easiest solution, which will break some clients.

Yes.  It's possible to get round that if you can inject packets onto the
network, but it's getting harder to do so unless you can compromise one
end of the network or the other - more routers and ISPs are dropping
packets with faked source IPs, and more servers are implementing
well-randomised TCP sequence numbers so that you can't fake a TCP
connection "blind".  However, packet injection is generally relatively
simple if you can get hold of a machine on the same local network as the
target user or the target server - and if you're able to sniff traffic,
there's a good chance you already have this.

		- Peter

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org