• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Tomcat 5.5, servlet container & session management

 
Clyde Zundel
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi. My boss has decided to hack the session management out of standard tomcat because he doesn't like it. Unfortunately, I'm now left with issues trying to develop on a hacked up mess that drops sessions, loses sessions, creates new sessions, etc. It's fun.

Anyway, he is now trying to claim that he did it because it's easy to hijack sessions in Tomcat and we have to have greater security than that.

Can someone educate me on:
a. What are the Tomcat weaknesses re: session hijacking; and,
b. What is typically done to try and mitigate those security risks.

I have a big old hunch that most folks aren't ripping up Tomcat in order to prevent session hijacking, but - being green - I don't really know what a good, well thought through approach to prevent hijacking might be.

Thanks much!
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Under SSL, sessions are not easy to hijack.
I've never heard of anyone doing this to Tomcat to make it more secure.

Is your app running under SSL?
I would think that it would be if it needs this level of security.
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic