https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
--- Comment #25 from jcran <jc...@0x0e.org> 2009-12-30 08:14:01 UTC --- (In reply to comment #24) > ... > Yes, but Tomcat 5 & 6 will change the session ID on authentication which > addresses the root cause of the session fixation. With that fixed whether or > not the session ID is in the URL is moot. So it appears that the session ID in the URL will be encrypted. I had to do some sniffing / digging myself - http://answers.google.com/answers/threadview/id/758002.html - but it's still bad practice, and introduces vulnerability. Consider the case of a proxy server, or of your own browser history. If you take a look, you'll see that jsessionid's are getting cached in the history, regardless of whether they were handed out after authentication or not. That aside, there's no reason that the browser couldn't cache the entire response, thus making this whole point moot -- it just doesn't out of the box. Removing the session ID from the URL would prevent browser history caching of a Session ID. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
