You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Millies, Sebastian" <Se...@ids-scheer.com> on 2005/05/12 16:57:29 UTC
Can a client recapture a session in Tomcat 4.1
Can a client recapture his Tomcat session after he
has accidentally closed the browser, provided that
the session object still exists on the server?
Would this be a browser-specific thing? After all,
I guess I'd need to tell the browser to persist
the session cookie or some such thing. Or would it
work browser-independently using URL-rewriting?
If there is such a mechanism, does it pose any
security concerns (e. g. through Tomcat reusing
a session-id for a totally different session?)
We're on Tomcat 4.1. Would the answer be any
different for Tomcat 5.0?
Thanks for any enlightenment or additional
pointers-. -- Sebastian
----------------------------------------------
Sebastian Millies, IDS Scheer AG
Postfach 10 15 34, 66015 Saarbrücken
Zi D1.16, Sebastian.Millies@ids-scheer.com
fon +49-681-210-3221, fax +49-681-210-1311
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Can a client recapture a session in Tomcat 4.1
Posted by Ronald Klop <ro...@base.nl>.
Yes. You only have to sent the right cookie header to the server. And if the browser exits the right header info is lost.
So, if you create a browser which doesn't loose cookie info, you are done.
This has nothing to do with which server you are running. For php, asp or anything else it works the same.
Ronald.
On Thu May 12 16:57:29 CEST 2005 Tomcat Users List <to...@jakarta.apache.org> wrote:
>
> Can a client recapture his Tomcat session after he
> has accidentally closed the browser, provided that
> the session object still exists on the server?
>
> Would this be a browser-specific thing? After all,
> I guess I'd need to tell the browser to persist
> the session cookie or some such thing. Or would it
> work browser-independently using URL-rewriting?
>
> If there is such a mechanism, does it pose any
> security concerns (e. g. through Tomcat reusing
> a session-id for a totally different session?)
>
> We're on Tomcat 4.1. Would the answer be any
> different for Tomcat 5.0?
>
> Thanks for any enlightenment or additional
> pointers-. -- Sebastian
>
> ----------------------------------------------
> Sebastian Millies, IDS Scheer AG
> Postfach 10 15 34, 66015 Saarbr?cken
> Zi D1.16, Sebastian.Millies@ids-scheer.com
> fon +49-681-210-3221, fax +49-681-210-1311
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
Re: Can a client recapture a session in Tomcat 4.1
Posted by Lutz Zetzsche <Lu...@sea-rescue.de>.
Hi Sebastian,
Am Donnerstag, 12. Mai 2005 16:57 schrieb Millies, Sebastian:
> Can a client recapture his Tomcat session after he
> has accidentally closed the browser, provided that
> the session object still exists on the server?
>
> Would this be a browser-specific thing? After all,
> I guess I'd need to tell the browser to persist
> the session cookie or some such thing. Or would it
> work browser-independently using URL-rewriting?
>
> If there is such a mechanism, does it pose any
> security concerns (e. g. through Tomcat reusing
> a session-id for a totally different session?)
>
> We're on Tomcat 4.1. Would the answer be any
> different for Tomcat 5.0?
>
> Thanks for any enlightenment or additional
> pointers-.
From my point of view, you are already asking the right questions.
Firstly, if you would always maintain the session by using cookies and
never by transporting the session id with the url, if you would
furthermore set a persistent session cookie which would not be
destroyed when the browser would be closed, and if last but not least
the user would have made his browser settings accordingly - not
deleting cookies when closing the browser -, then it would be possible
to re-capture the Tomcat session as long as it would exist on the
server.
As you can see, there are a lot if's.
Secondly, it would be a severe security hole in your application if you
would set persistent session cookies. From the security point of view,
the session cookie has to be destroyed when the browser is closed.
Imagine, a user does close the browser intentionally and not
accidentally, and the next user can re-capture, rather hijack, his
session just because the session cookie is persistent.
Draw the conclusion yourself, but a persistent session cookie to comfort
the user when closing the browser accidentally results in a security
hole which I would not allow in my web application. It cannot be in the
interest of the user concerned that you cannot guarantee the privacy of
his data after the browser has been closed due to persistent session
cookies.
Best wishes
Lutz
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Can a client recapture a session in Tomcat 4.1
Posted by Will Hartung <wi...@msoft.com>.
> From: Millies, Sebastian [mailto:Sebastian.Millies@ids-scheer.com]
> Sent: 12 May 2005 15:57
> Can a client recapture his Tomcat session after he has accidentally closed
> the browser, provided that the session object still exists on the server?
If the client authenticates to your server (i.e. they log in), then you can
use their login credentials as a key for session data.
The downside is that you'll have to basically build your own session manager
to facilitate this. (To handle expiration, inactivation, etc. if you want
those features).
However, there's no reason you can't leverage the built in session listeners
to help implement this. For example, you can do some crude reference
counting and when a user logs in, you register their session with your
login-ID based session manager.
Then, when the session expires (and calls the listener), it can check to see
if any other sessions are registered, and if not, then it can safely kill
the login-ID based session. This gives you the time out capability fairly
cheaply.
You don't get serialization and such though, nor clustering, but if you're
not using those features, you don't care.
Actually, as an aside, this would be a bit nasty, but you may be able to
tweak the Tomcat session code to instead of using a temporary, browser based
JSESSIONID cookie, make it permanent (but still expire in, say, an hour --
whatever timeout is suitable). This cookie would survive browser restarts
(for good and ill). Other folks have mentioned the potential ramifications
of that, but by doing it this way, it's possible. Just hope they don't use
this in a public library.
This basically redefines how sessions work for YOUR Tomcat, but it doesn't
sound like an arduous change, and you get all of the other Tomcat session
infrastructure for free. Your webapp won't be portable if you really on this
though, since you have to change Tomcat itself to make it work.
Regards,
Will Hartung
(willh@msoft.com)
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Can a client recapture a session in Tomcat 4.1
Posted by Lutz Zetzsche <Lu...@sea-rescue.de>.
Hi Tim,
Am Donnerstag, 12. Mai 2005 17:20 schrieb Tim Diggins:
> Using IP sounds a bit scary as a lookup - think of all the users with
> equivalent IP addresses (because of NATing routers/firewalls, etc.).
> Plus it would be a strikes me it would be a nightmare to test...
>
> But, if instead you wanted to have a session that wasn't linked to
> tomcat's notion of a session, you could (maybe) build a separate
> Session management that was stored in a regular (non-session) cookie
> -- it would then persist "across sessions" in the same browser...
But how do you validate that it is still the "right" person in front of
the pc / monitor? ;-) Persistent session cookies are simply an
inacceptable security breach if more than one person can have access to
the pc.
Best wishes
Lutz
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
RE: Can a client recapture a session in Tomcat 4.1
Posted by Arup Vidyerthy <ar...@limehouse.co.uk>.
I agree, actually once I posted it I thought the same thing. What I
suggested is not particularly useful but I have seen it done :-(
I guess, in the end this whole session persistence is just a bad idea.
Arup
-----Original Message-----
From: Tim Diggins [mailto:subscribed@red56.co.uk]
Sent: 12 May 2005 16:21
To: Tomcat Users List
Subject: Re: Can a client recapture a session in Tomcat 4.1
Using IP sounds a bit scary as a lookup - think of all the users with
equivalent IP addresses (because of NATing routers/firewalls, etc.).
Plus it would be a strikes me it would be a nightmare to test...
But, if instead you wanted to have a session that wasn't linked to tomcat's
notion of a session, you could (maybe) build a separate Session management
that was stored in a regular (non-session) cookie -- it would
then persist "across sessions" in the same browser...
Tim
Arup Vidyerthy wrote:
> I am not sure if this can be done... I guess you could build framework
> where the user's session id and ip is logged (unless they logout) and
> then when the user comes back you could use the old session. I have
> never tried this but this personally but I dont see why it should not
work.
>
> Arup
> -----Original Message-----
> From: Millies, Sebastian [mailto:Sebastian.Millies@ids-scheer.com]
> Sent: 12 May 2005 15:57
> To: tomcat-user@jakarta.apache.org
> Subject: Can a client recapture a session in Tomcat 4.1
>
>
> Can a client recapture his Tomcat session after he has accidentally
> closed the browser, provided that the session object still exists on the
server?
>
> Would this be a browser-specific thing? After all, I guess I'd need to
> tell the browser to persist the session cookie or some such thing. Or
> would it work browser-independently using URL-rewriting?
>
> If there is such a mechanism, does it pose any security concerns (e. g.
> through Tomcat reusing a session-id for a totally different session?)
>
> We're on Tomcat 4.1. Would the answer be any different for Tomcat 5.0?
>
> Thanks for any enlightenment or additional pointers-. -- Sebastian
>
> ----------------------------------------------
> Sebastian Millies, IDS Scheer AG
> Postfach 10 15 34, 66015 Saarbrücken
> Zi D1.16, Sebastian.Millies@ids-scheer.com fon +49-681-210-3221, fax
> +49-681-210-1311
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Can a client recapture a session in Tomcat 4.1
Posted by Tim Diggins <su...@red56.co.uk>.
Using IP sounds a bit scary as a lookup - think of all the users with
equivalent IP addresses (because of NATing routers/firewalls, etc.).
Plus it would be a strikes me it would be a nightmare to test...
But, if instead you wanted to have a session that wasn't linked to
tomcat's notion of a session, you could (maybe) build a separate Session
management that was stored in a regular (non-session) cookie -- it would
then persist "across sessions" in the same browser...
Tim
Arup Vidyerthy wrote:
> I am not sure if this can be done... I guess you could build framework where
> the user's session id and ip is logged (unless they logout) and then when
> the user comes back you could use the old session. I have never tried this
> but this personally but I don’t see why it should not work.
>
> Arup
> -----Original Message-----
> From: Millies, Sebastian [mailto:Sebastian.Millies@ids-scheer.com]
> Sent: 12 May 2005 15:57
> To: tomcat-user@jakarta.apache.org
> Subject: Can a client recapture a session in Tomcat 4.1
>
>
> Can a client recapture his Tomcat session after he has accidentally closed
> the browser, provided that the session object still exists on the server?
>
> Would this be a browser-specific thing? After all, I guess I'd need to tell
> the browser to persist the session cookie or some such thing. Or would it
> work browser-independently using URL-rewriting?
>
> If there is such a mechanism, does it pose any security concerns (e. g.
> through Tomcat reusing a session-id for a totally different session?)
>
> We're on Tomcat 4.1. Would the answer be any different for Tomcat 5.0?
>
> Thanks for any enlightenment or additional pointers-. -- Sebastian
>
> ----------------------------------------------
> Sebastian Millies, IDS Scheer AG
> Postfach 10 15 34, 66015 Saarbrücken
> Zi D1.16, Sebastian.Millies@ids-scheer.com fon +49-681-210-3221, fax
> +49-681-210-1311
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
RE: Can a client recapture a session in Tomcat 4.1
Posted by Arup Vidyerthy <ar...@limehouse.co.uk>.
I am not sure if this can be done... I guess you could build framework where
the user's session id and ip is logged (unless they logout) and then when
the user comes back you could use the old session. I have never tried this
but this personally but I dont see why it should not work.
Arup
-----Original Message-----
From: Millies, Sebastian [mailto:Sebastian.Millies@ids-scheer.com]
Sent: 12 May 2005 15:57
To: tomcat-user@jakarta.apache.org
Subject: Can a client recapture a session in Tomcat 4.1
Can a client recapture his Tomcat session after he has accidentally closed
the browser, provided that the session object still exists on the server?
Would this be a browser-specific thing? After all, I guess I'd need to tell
the browser to persist the session cookie or some such thing. Or would it
work browser-independently using URL-rewriting?
If there is such a mechanism, does it pose any security concerns (e. g.
through Tomcat reusing a session-id for a totally different session?)
We're on Tomcat 4.1. Would the answer be any different for Tomcat 5.0?
Thanks for any enlightenment or additional pointers-. -- Sebastian
----------------------------------------------
Sebastian Millies, IDS Scheer AG
Postfach 10 15 34, 66015 Saarbrücken
Zi D1.16, Sebastian.Millies@ids-scheer.com fon +49-681-210-3221, fax
+49-681-210-1311
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org