Security Question

[Gregory Robert R F IT44 <ro...@siemens.com>]

Hi,
 
I am running tomcat 4.1.23 and cocoon 2.1.3.

I have a number of web applications that use the cocoon session module,
and as part of a security audit I have been asked the following question
:
 
'... it is absoluteley necessary to generate cryptographically strong
session parameters. This means that the use of cryptographically proven
random number generators with at least 128 bit session-ID is advised'
 
Could anyone tell me if the above statement is satisfied ?
 
Thanks,
 
Rob Gregory
 
Registered office: Ruston House, Waterside South, Lincoln LN5 7FD, England
Registered no: 4729734

This email contains confidential information and is for the exclusive use of the addressee. If you are not the addressee, then any distribution, copying or use of this email is prohibited. If received in error, please advise the sender and delete immediately. We accept no liability for any loss or damage suffered by any person arising from use of this email.

Re: Security Question

[Upayavira <uv...@odoko.co.uk>]

Gregory Robert R F IT44 wrote:
> Hi,
>  
> I am running tomcat 4.1.23 and cocoon 2.1.3.
> I have a number of web applications that use the cocoon session module, 
> and as part of a security audit I have been asked the following question :
>  
> '... it is absoluteley necessary to generate cryptographically strong 
> session parameters. This means that the use of cryptographically proven 
> random number generators with at least 128 bit session-ID is advised'
>  
> Could anyone tell me if the above statement is satisfied ?

It is my understanding that Cocoon makes use of the servlet container 
(Tomcat) to create session IDs. So, configure Tomcat correctly, and 
Cocoon will be conformant.

Hope that helps.

Regards, Upayavira

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
For additional commands, e-mail: users-help@cocoon.apache.org