https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
Summary: support disable jsessionid from url against session
fixation attacks
Product: Tomcat 6
Version: unspecified
Platform: PC
URL: http://en.wikipedia.org/wiki
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
quaff <[EMAIL PROTECTED]> changed:
What|Removed |Added
CC||[EMAIL PROTECTED]
-
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
Mark Thomas <[EMAIL PROTECTED]> changed:
What|Removed |Added
Severity|critical|enhancement
-
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
--- Comment #2 from Rainer Jung <[EMAIL PROTECTED]> 2008-06-23 01:58:29 PST ---
Hi Mark,
Spec 7.1 seems to say:
- a compliant container may support URL encoded sessions ("may be used")
- if it does support them, it has to use the path
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
--- Comment #3 from Mark Thomas <[EMAIL PROTECTED]> 2008-06-23 02:32:36 PST ---
SRV.7.1.4 is the important bit for us. If we disable URL-rewriting we break the
spec. That said, I am not against it as an option (probably at the context
l
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
--- Comment #4 from Rainer Jung <[EMAIL PROTECTED]> 2008-06-23 02:40:39 PST ---
Ahh, of course you are right. I'll see how easy an option is (I guess the
incoming session path parameter and cookie is handled in the connector, and the
co
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
--- Comment #5 from Rainer Jung <[EMAIL PROTECTED]> 2008-06-23 02:46:58 PST ---
Sorry, again I wrote partial nonsense: there is a
request.isRequestedSessionIdFromURL() in the servlet API. So it is easy for us
to know, but also for the w
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
--- Comment #6 from Mark Thomas <[EMAIL PROTECTED]> 2008-06-23 02:56:29 PST ---
That would work. If we wanted to make this a Tomcat option the code around the
context configuration option cookies is where I would start.
--
Configure
Dear Wiki user,
You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change
notification.
The following page has been changed by ChristopherSchultz:
http://wiki.apache.org/tomcat/Tomcat/UTF-8
The comment on the change is:
Stopped clobbering client-provided character encoding
Dear Wiki user,
You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change
notification.
The following page has been changed by markt:
http://wiki.apache.org/tomcat/Tomcat/UTF-8
The comment on the change is:
Remove inaccurrate statement
Dear Wiki user,
You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change
notification.
The following page has been changed by ole:
http://wiki.apache.org/tomcat/FrontPage
--
* '''["PoweredBy"]'
Dear Wiki user,
You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change
notification.
The following page has been changed by ole:
http://wiki.apache.org/tomcat/FrontPage
--
* '''["PoweredBy"]'
https://issues.apache.org/bugzilla/show_bug.cgi?id=45261
Summary: Concurrent node failure leads to inconsistent views.
Product: Tomcat 6
Version: 6.0.16
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Pr
13 matches
Mail list logo
