DO NOT REPLY [Bug 35709] - allow to create a short-lived secondary session from a request to prevent cross-site scripting-like attacks

[bu...@apache.org]

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=35709>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=35709





------- Additional Comments From hauser@acm.org  2005-10-25 12:30 -------
for those who want to "harden" their home-grown solutions to this, a first take
at a test script for both url-rewriting/cookie based session management:
<HTML>
<HEAD>
<TITLE>Test</TITLE>
<SCRIPT>
function getQueryString(){
    var c=document.location.toString(),i=c.indexOf("?");
    return(i<0)?"":unescape((c.substring(i)).replace(/\+/g," ")); }

function init(){
    alert("document.referrer = " + document.referrer);
    alert("Query string = " + getQueryString());
    alert("Query cookie value of jsessionid = " + getCookieValue("jsessionid")); }

function getCookieValue(cookieName){
    var a=cookieName+"=";
    var i=0;
    var c=document.cookie;
    if(c!=null){
        while(i<c.length){
            var j=i+a.length;
            if(c.substring(i,j)==a){
                var e=c.indexOf(";",j);
                if(e==-1)e=c.length;
                return unescape(c.substring(j,e));
            }
            i=c.indexOf(" ",i)+1;
            if(i==0)break; 
        }
    }
    return null;
}
</SCRIPT>
</HEAD>
<BODY onLoad=init()>
</BODY>
</HTML>

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org