DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=22679>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=22679 ------- Additional Comments From [EMAIL PROTECTED] 2007-10-25 20:06 ------- Lucas, you are right that there can be multiple legitimate SSL Session IDs with one JSESSIONID. So while I stick to the statement that observing the SSL Session ID is still one good measure against Session Hijacking, if applied alone, it may also lock out legitimate additional SSL sessions. At least for sequentially changing SSL-IDs, we account for with the described "n-1 our of n" approach (comment 12). So if the other n-1 parameters to considered stay the same, the mechanism probably even works with simultanous sessions with IDs A, B, C since the tomcat application for each request will just assume that it is a change from A->B, then from B->C, C->A and so on - not noticing there are actually multiple simultaneous SSL sessions going on in parallel. Anyway, we have the approach in operation since months with hundreds of users and no problems. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
