You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Adam Hardy <ah...@cyberspaceroad.com> on 2003/12/03 13:37:24 UTC
[OT] Re: Changing SessionId at every request
Will Hartung is asking the same questions just hours ago in the thread
"cross-site single sign on" on the tomcat user list - so you are not
alone. However I don't have any experience with this (& it's getting
OT). Sorry. Following is an interesting bit from his message:
> Now, if you have sitea.com and siteb.com, then the cookie technique can't
> work (as neither can set a cookie for the other). So, I'm thinking that you
> can do something similiar, a signed token, in a hidden field and then having
> to submit a form to get to the new site.
>
> Of course, you can always stick the token on the URL as well.
On 12/03/2003 10:42 AM Gurpreet Dhanoa wrote:
> hi Adam
>
> You are on the right track in understanding my concern. Anyway i have
> madeit possible. But now there is a small new issue.
> it is
>
> I want to access the sessionId of another Web Server into some other web
> server.
> I meant say i have a domain A on Server A, I want to access the sessionId of
> Domain A onto the Domain B on Server B.
>
> I think this is a very strange question but i have been asked the same.
>
> ANy help of you guys
> Thanks
> Gary
>
>
>
> ----- Original Message -----
> From: "Adam Hardy" <ah...@cyberspaceroad.com>
> To: "Struts Users Mailing List" <st...@jakarta.apache.org>
> Sent: Wednesday, December 03, 2003 3:03 PM
> Subject: Re: Changing SessionId at every request
>
>
>
>>I assume that Gurpreet wants to do it for security reasons and it's not
>>a bad idea. It certainly means that nobody would be able to share a
>>session, and so therefor a session-hijack would become obviously
>>immediately.
>>
>>I think expiring the session is overkill - I would just leave the
>>session as it is and use the filter to check and change my own
>>hand-rolled session id.
>>
>>Adam
>>
>>On 12/03/2003 08:20 AM Navjot Singh wrote:
>>
>>>don't know why do you wish to do so?
>>>but it an be done. Write a filter. pass every request thru that.
>>>
>>>1. Fetch the session, expire it. Server will assign new.
>>>2. Fetch the session, don't expire the session, just append a timestamp
>
> to
>
>>>it. set a cookie and use that to maintain session.
>>>
>>>HTH
>>>navjot singh
>>>
>>>
>>>
>>>>-----Original Message-----
>>>>From: Gurpreet Dhanoa [mailto:gurpreetd@smartdatainc.com]
>>>>Sent: Wednesday, December 03, 2003 11:44 AM
>>>>To: Struts Users Mailing List
>>>>Subject: Changing SessionId at every request
>>>>
>>>>
>>>>HI,
>>>>
>>>>IS it possible to change the Session Id generated by the Web
>>>>Server at every request for the same client. I wil make it much
>>>>more clear.
>>>>
>>>>Say i have a Servlet running on Tomcat. what i want is when ever
>>>>any User lets assume USER A ask for a request i want to change the
>>>>sessionId server variable which has been gerenrated by the Web
>>>>Server to uniquely identify the client.
>>>>
>>>>Purpose behind doing this is to make every request safe.
>>>>
>>>>
>>>>Any suggections will be higly appreciated.
>>>>
>>>>
>>>>Thanks in Advance
>>>>Gary
>>>>
--
struts 1.1 + tomcat 5.0.14 + java 1.4.2
Linux 2.4.20 RH9
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org