Can a client recapture a session in Tomcat 4.1?

S

Sebastian Millies

Can a client recapture his Tomcat session after he
has accidentally closed the browser, provided that
the session object still exists on the server?

Would this be a browser-specific thing? After all,
I guess I'd need to tell the browser to persist
the session cookie or some such thing. Or would it
work browser-independently using URL-rewriting?

If there is such a mechanism, does it pose any
security concerns (e. g. through Tomcat reusing
a session-id for a totally different session?)

We're on Tomcat 4.1. Would the answer be any
different for Tomcat 5.0?

Thanks for any enlightenment or additional
pointers-. -- Sebastian
 
J

John C. Bollinger

Sebastian said:
Can a client recapture his Tomcat session after he
has accidentally closed the browser, provided that
the session object still exists on the server?
Click to expand...

Possibly. It depends on the session maintenance mechanism. If SSL,
then any ability to do so would constitute a client-side security
vulnerability. You could also argue the same thing when sessions are
being maintained via cookies, and in that case the cookies probably
expire and are removed when the browser is closed. That leaves sessions
maintained via URL rewriting; in that case, if the client has the last
URL he visited in the session then he could probably go back to it,
though there might be some question as to the validity of doing so from
the application's point of view.
Would this be a browser-specific thing? After all,
I guess I'd need to tell the browser to persist
the session cookie or some such thing. Or would it
work browser-independently using URL-rewriting?
Click to expand...

If the session were maintained via a cookie, you would probably have to
hack either the cookie (presuming you manage to hold on to it) or the
browser in order to get the browser to continue to use it, but that may
depend on how the particular app server configures the cookies it uses.

Sessions maintained via URL rewriting could probably be revised as I
described above, simply by revisiting a URL that incorporates the
correct session ID.
If there is such a mechanism, does it pose any
security concerns (e. g. through Tomcat reusing
a session-id for a totally different session?)
Click to expand...

No. You will only be able to resume a session if it has not timed out
on the application server, and the server will not reuse the session ID
while the session is still live. Most app servers are very unlikely to
_ever_ reuse the same id, for that matter.
We're on Tomcat 4.1. Would the answer be any
different for Tomcat 5.0?
Click to expand...

Unlikely. For the most part these issues are not app-server-specific.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Apache2, Tomcat 4.1 and mod_jk2 question 4
SSL Frontend(F5) - Apache - AJP - Tomcat howto 0
TOMCAT PROBLEM: Establishing a session 6
Hi, I am a webflow user. I am looking for CSS code that can KEEP ALL ELEMENTS POSITIONED in the SAME spot across all resolutions 0
[TomCat] Routine Before Session End. 0
deploying the websphere SOAP client in tomcat 2
how can I create a Tomcat 4.1 'index' servlet 4
Axis Client in Tomcat ignores ProxySettings 0

Members online

No members online now.
Total: 32 (members: 0, guests: 32)
Robots: 358

Forum statistics

Threads
473,769
Messages
2,569,582
Members
45,065
Latest member
OrderGreenAcreCBD

Latest Threads

Top