Mark, On 10/28/15 12:34 PM, Mark Thomas wrote: > On 28/10/2015 13:01, Roel Storms wrote: >> Hello, >> >> >> I was looking into session management on Tomcat 8.0.29 and found this >> comment: >> >> In apache.catalina.connector.Request method doGetSession(bool) line 2886: >> >> * // Attempt to reuse session id if one was submitted in a cookie* >> *// Do not reuse the session id if it is from a URL, to prevent >> possible* >> * // phishing attacks* >> // Use the SSL session ID if one is present. >> >> Why do you put more trust in a session id from a *cookie* then from a *URL*? >> Is there an (invalid) assumption that cookies are hard to manipulate? > > It is based on the fact that cookies require more effort from an > attacker to control.
Just to clarify, the "attacker" in this case isn't the user of the web application. Yes, any client can send any header (cookie) they want. But an attacker trying to trick someone else into sending a cookie is going to have a harder time than trying to get them to click on a link that has an embedded session identifier. > Creating the session with the client provided ID is required for some > features to operate correctly. > >> Additionally I was hoping to find some* design documentation on the session >> mechanism*. Has anyone constructed any diagram or created some other form >> of documentation useful for figuring out how sessions are created and >> maintained? > > Not that I am aware of. The relevant source code isn't that long. > Reading it is probably the quickest way. Roel, what are you looking for specifically? The servlet spec lays-out when sessions are created/destroyed, etc. Do you think Tomcat needs documentation in addition to that? -chris --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
