You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by John Klancer <ca...@calhoun.plus.com> on 2003/04/07 13:35:08 UTC
How to track a session between webserver and Tomcat?
For authentication reasons (see my recent post "Single authentication
between IIS & Tomcat - My ip-based solution okay?") I would like to
track a session between my webserver (IIS in this case) and Tomcat.
I can do this with cookies, but they are susceptible to being sniffed
during transmission and later forged. Therefore, I would like to
eliminate session-tracking information from the transmissions between
client and server. Does anyone know of a way to reliably & securely
track a session between a webserver and Tomcat?
Info:
I am running IIS 5.1 on WinXP, Tomcat 2.1.24 on the same WinXP host
Requests are redirected using the ISAPI redirector v.2
Thank you for any help!
- John
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: How to track a session between webserver and Tomcat?
Posted by Joe Sam Shirah <js...@attglobal.net>.
> cookies are generally viewed as being the most practical
> method today.
And, IMO, a very clear case of developer arrogance, choosing convenience
over the interests, concerns and preferences of clients. Especially since
most browsers offer only all or none options.
Joe Sam
Joe Sam Shirah - http://www.conceptgo.com
conceptGO - Consulting/Development/Outsourcing
Java Filter Forum: http://www.ibm.com/developerworks/java/
Just the JDBC FAQs: http://www.jguru.com/faq/JDBC
Going International? http://www.jguru.com/faq/I18N
Que Java400? http://www.jguru.com/faq/Java400
----- Original Message -----
From: "Gary Gwin" <to...@cafesoft.com>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Monday, April 07, 2003 5:59 PM
Subject: Re: How to track a session between webserver and Tomcat?
> John,
>
> There are three generally accepted ways to maintain session identity
> across tiers or servers:
>
> 1) Cookies
> 2) URL rewriting
> 3) Hidden form fields
>
> None of these solutions is perfect but cookies are generally viewed as
> being the most practical method today. Given that you take reasonable
> security measures like encrypting the payload and implementing a session
> timeout, they are not considered to be "unsecure". Many would also
> suggest that you only create and use session cookies via an SSL
> connection, but this is not always practical and more a function of the
> threat against vs. the value of the resource that you are trying to
secure.
>
> Gary
>
> John Klancer wrote:
> > For authentication reasons (see my recent post "Single authentication
> > between IIS & Tomcat - My ip-based solution okay?") I would like to
> > track a session between my webserver (IIS in this case) and Tomcat.
> >
> > I can do this with cookies, but they are susceptible to being sniffed
> > during transmission and later forged. Therefore, I would like to
> > eliminate session-tracking information from the transmissions between
> > client and server. Does anyone know of a way to reliably & securely
> > track a session between a webserver and Tomcat?
> >
> > Info:
> > I am running IIS 5.1 on WinXP, Tomcat 2.1.24 on the same WinXP host
> > Requests are redirected using the ISAPI redirector v.2
> >
> > Thank you for any help!
> >
> > - John
> >
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
RE: How to track a session between webserver and Tomcat?
Posted by John Klancer <ca...@calhoun.plus.com>.
Gary,
Thank you for running down that for me. At this point, I am planning to
implement a cookies-based solution, probably with encryption later. I
did take a look at the cafesoft software (http://www.cafesoft.com), by
the way - it looked like it provides a good solution but is more than we
need, I think, for this relatively minor project.
Joe Sam,
Would you please explain what you mean by your comment on using cookies
for this? If there is another alternative that you believe is better,
can you describe it? I would appreciate it, as I'm inexperienced in this
area. Thanks
- John
-----Original Message-----
From: Gary Gwin [mailto:tomcat@cafesoft.com]
Sent: 07 April 2003 23:00
To: Tomcat Users List
Subject: Re: How to track a session between webserver and Tomcat?
John,
There are three generally accepted ways to maintain session identity
across tiers or servers:
1) Cookies
2) URL rewriting
3) Hidden form fields
None of these solutions is perfect but cookies are generally viewed as
being the most practical method today. Given that you take reasonable
security measures like encrypting the payload and implementing a session
timeout, they are not considered to be "unsecure". Many would also
suggest that you only create and use session cookies via an SSL
connection, but this is not always practical and more a function of the
threat against vs. the value of the resource that you are trying to
secure.
Gary
John Klancer wrote:
> For authentication reasons (see my recent post "Single authentication
> between IIS & Tomcat - My ip-based solution okay?") I would like to
> track a session between my webserver (IIS in this case) and Tomcat.
>
> I can do this with cookies, but they are susceptible to being sniffed
> during transmission and later forged. Therefore, I would like to
> eliminate session-tracking information from the transmissions between
> client and server. Does anyone know of a way to reliably & securely
> track a session between a webserver and Tomcat?
>
> Info:
> I am running IIS 5.1 on WinXP, Tomcat 2.1.24 on the same WinXP host
> Requests are redirected using the ISAPI redirector v.2
>
> Thank you for any help!
>
> - John
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
--
Gary Gwin
http://www.cafesoft.com
*****************************************************************
* *
* The Cafesoft Access Management System, Cams, is security *
* software that provides single sign-on authentication and *
* centralized access control for Apache, Tomcat, and custom *
* resources. *
* *
*****************************************************************
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: How to track a session between webserver and Tomcat?
Posted by Gary Gwin <to...@cafesoft.com>.
John,
There are three generally accepted ways to maintain session identity
across tiers or servers:
1) Cookies
2) URL rewriting
3) Hidden form fields
None of these solutions is perfect but cookies are generally viewed as
being the most practical method today. Given that you take reasonable
security measures like encrypting the payload and implementing a session
timeout, they are not considered to be "unsecure". Many would also
suggest that you only create and use session cookies via an SSL
connection, but this is not always practical and more a function of the
threat against vs. the value of the resource that you are trying to secure.
Gary
John Klancer wrote:
> For authentication reasons (see my recent post "Single authentication
> between IIS & Tomcat - My ip-based solution okay?") I would like to
> track a session between my webserver (IIS in this case) and Tomcat.
>
> I can do this with cookies, but they are susceptible to being sniffed
> during transmission and later forged. Therefore, I would like to
> eliminate session-tracking information from the transmissions between
> client and server. Does anyone know of a way to reliably & securely
> track a session between a webserver and Tomcat?
>
> Info:
> I am running IIS 5.1 on WinXP, Tomcat 2.1.24 on the same WinXP host
> Requests are redirected using the ISAPI redirector v.2
>
> Thank you for any help!
>
> - John
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
--
Gary Gwin
http://www.cafesoft.com
*****************************************************************
* *
* The Cafesoft Access Management System, Cams, is security *
* software that provides single sign-on authentication and *
* centralized access control for Apache, Tomcat, and custom *
* resources. *
* *
*****************************************************************
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
RE: How to track a session between webserver and Tomcat?
Posted by Johan Bryssling <jo...@assembla.se>.
Session handling in Tomcat is done always with cookies. You dont see it,
because you dont handle with them directly. (Activate the "see cookie"
option in internet explorer to see the SESSION ID in the cookie when you
access a JSP or SERVLET that creates or requires a session. )
Protect the transmission with HTTPS and you shouldnt have to worry
anymore.
/Johan
-----Original Message-----
From: John Klancer [mailto:calhoun@calhoun.plus.com]
Sent: den 7 april 2003 13:35
To: tomcat-user@jakarta.apache.org
Subject: How to track a session between webserver and Tomcat?
For authentication reasons (see my recent post "Single authentication
between IIS & Tomcat - My ip-based solution okay?") I would like to
track a session between my webserver (IIS in this case) and Tomcat.
I can do this with cookies, but they are susceptible to being sniffed
during transmission and later forged. Therefore, I would like to
eliminate session-tracking information from the transmissions between
client and server. Does anyone know of a way to reliably & securely
track a session between a webserver and Tomcat?
Info:
I am running IIS 5.1 on WinXP, Tomcat 2.1.24 on the same WinXP host
Requests are redirected using the ISAPI redirector v.2
Thank you for any help!
- John
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org