Hello,
I was looking into session management on Tomcat 8.0.29 and found this
comment:
In apache.catalina.connector.Request method doGetSession(bool) line 2886:
* // Attempt to reuse session id if one was submitted in a cookie*
*// Do not reuse the session id if it is from a URL, to prevent
possible*
* // phishing attacks*
// Use the SSL session ID if one is present.
Why do you put more trust in a session id from a *cookie* then from a *URL*?
Is there an (invalid) assumption that cookies are hard to manipulate?
Additionally I was hoping to find some* design documentation on the session
mechanism*. Has anyone constructed any diagram or created some other form
of documentation useful for figuring out how sessions are created and
maintained?
Rgds,
Roel Storms
