https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
--- Comment #26 from Mark Thomas <ma...@apache.org> 2009-12-30 08:37:02 GMT --- (In reply to comment #25) > So it appears that the session ID in the URL will be encrypted. I had to do > some sniffing / digging myself - > http://answers.google.com/answers/threadview/id/758002.html - but it's still > bad practice, and introduces vulnerability. This is FUD. There is no vulnerability here. > Consider the case of a proxy server, or of your own browser history. If you > take a look, you'll see that jsessionid's are getting cached in the history, > regardless of whether they were handed out after authentication or not. > > That aside, there's no reason that the browser couldn't cache the entire > response, thus making this whole point moot -- it just doesn't out of the box. > Removing the session ID from the URL would prevent browser history caching of > a > Session ID. More FUD. The situations you describe are not vulnerabilities. Since Bugzilla is neither a support forum nor a discussion forum, if you wish to continue this discussion further, please do so on the users list. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
