DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks

bugzilla Tue, 17 Nov 2009 11:49:11 -0800

https://issues.apache.org/bugzilla/show_bug.cgi?id=45255


Andre Schild <a.sch...@aarboard.ch> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |a.sch...@aarboard.ch

--- Comment #18 from Andre Schild <a.sch...@aarboard.ch> 2009-11-17 11:48:35 
UTC ---
A good document describing session fixation can be found here:

http://www.acros.si/papers/session_fixation.pdf

Just disabling the usage of jsessionid=.... in the URL does not solve the
problem, it just closes one of many open doors.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks

Reply via email to