Hi. My boss has decided to hack the session management out of standard tomcat because he doesn't like it. Unfortunately, I'm now left with issues trying to develop on a hacked up mess that drops sessions, loses sessions, creates new sessions, etc. It's fun.
Anyway, he is now trying to claim that he did it because it's easy to hijack sessions in Tomcat and we have to have greater security than that.
Can someone educate me on: a. What are the Tomcat weaknesses re: session hijacking; and, b. What is typically done to try and mitigate those security risks.
I have a big old hunch that most folks aren't ripping up Tomcat in order to prevent session hijacking, but - being green - I don't really know what a good, well thought through approach to prevent hijacking might be.