On 28/10/2015 13:01, Roel Storms wrote: > Hello, > > > I was looking into session management on Tomcat 8.0.29 and found this > comment: > > In apache.catalina.connector.Request method doGetSession(bool) line 2886: > > * // Attempt to reuse session id if one was submitted in a cookie* > *// Do not reuse the session id if it is from a URL, to prevent > possible* > * // phishing attacks* > // Use the SSL session ID if one is present. > > Why do you put more trust in a session id from a *cookie* then from a *URL*? > Is there an (invalid) assumption that cookies are hard to manipulate?
It is based on the fact that cookies require more effort from an attacker to control. Creating the session with the client provided ID is required for some features to operate correctly. > Additionally I was hoping to find some* design documentation on the session > mechanism*. Has anyone constructed any diagram or created some other form > of documentation useful for figuring out how sessions are created and > maintained? Not that I am aware of. The relevant source code isn't that long. Reading it is probably the quickest way. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
