wood burning stoves 2.0*
The moose likes Tomcat and the fly likes Tomcat 5.5, servlet container & session management Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Tomcat 5.5, servlet container & session management" Watch "Tomcat 5.5, servlet container & session management" New topic
Author

Tomcat 5.5, servlet container & session management

Clyde Zundel
Greenhorn

Joined: May 14, 2008
Posts: 1
Hi. My boss has decided to hack the session management out of standard tomcat because he doesn't like it. Unfortunately, I'm now left with issues trying to develop on a hacked up mess that drops sessions, loses sessions, creates new sessions, etc. It's fun.

Anyway, he is now trying to claim that he did it because it's easy to hijack sessions in Tomcat and we have to have greater security than that.

Can someone educate me on:
a. What are the Tomcat weaknesses re: session hijacking; and,
b. What is typically done to try and mitigate those security risks.

I have a big old hunch that most folks aren't ripping up Tomcat in order to prevent session hijacking, but - being green - I don't really know what a good, well thought through approach to prevent hijacking might be.

Thanks much!
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

Under SSL, sessions are not easy to hijack.
I've never heard of anyone doing this to Tomcat to make it more secure.

Is your app running under SSL?
I would think that it would be if it needs this level of security.


Java API J2EE API Servlet Spec JSP Spec How to ask a question... Simple Servlet Examples jsonf
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Tomcat 5.5, servlet container & session management
 
Similar Threads
Get session object from session ID
JSF2 + EJB3 + JPA to perform authentication and authorization.
Production in Apache Tomcat Server
Secure login page only.
Using (jsp:useBean id="myBeanId") with multiple logins