jQuery in Action, 3rd edition
The moose likes Tomcat and the fly likes Tomcat 5.5, servlet container & session management Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Tomcat 5.5, servlet container & session management" Watch "Tomcat 5.5, servlet container & session management" New topic

Tomcat 5.5, servlet container & session management

Clyde Zundel

Joined: May 14, 2008
Posts: 1
Hi. My boss has decided to hack the session management out of standard tomcat because he doesn't like it. Unfortunately, I'm now left with issues trying to develop on a hacked up mess that drops sessions, loses sessions, creates new sessions, etc. It's fun.

Anyway, he is now trying to claim that he did it because it's easy to hijack sessions in Tomcat and we have to have greater security than that.

Can someone educate me on:
a. What are the Tomcat weaknesses re: session hijacking; and,
b. What is typically done to try and mitigate those security risks.

I have a big old hunch that most folks aren't ripping up Tomcat in order to prevent session hijacking, but - being green - I don't really know what a good, well thought through approach to prevent hijacking might be.

Thanks much!
Ben Souther

Joined: Dec 11, 2004
Posts: 13410

Under SSL, sessions are not easy to hijack.
I've never heard of anyone doing this to Tomcat to make it more secure.

Is your app running under SSL?
I would think that it would be if it needs this level of security.

Java API J2EE API Servlet Spec JSP Spec How to ask a question... Simple Servlet Examples jsonf
I agree. Here's the link: http://aspose.com/file-tools
subject: Tomcat 5.5, servlet container & session management
It's not a secret anymore!