(keitai-l) Re: Losing Sessions on WAP servlet app

From: Paul Lester <paul_at_thetamusic.com>
Date: 05/30/05
Message-ID: <429A7D10.7F5A9C8E@thetamusic.com>
    Very true.  I also filtered IPs a little, checked some headers and such..... but I didn't
store the user agent.  That's an interesting idea!...the original problem is solved...
but its fun to keep talking.

    I think I'm going to have to try out Orion sometime.... I hope its better than Tomcat!
Three of my friends are trying to get me onto JBoss, but I don't like the name.  The name
reminds me of Boss Hogg? from the Dukes of Hazard.

Curt Sampson wrote:

> On Sun, 29 May 2005, Paul wrote:
>
> >    To make the session unhijackable on a handset check the Handset ID
> > and use it to make the secret code that indicates a session.
>
> Handset IDs can be faked, unless you're also checking the source of the
> request to make sure that it's, e.g., one of the known Docomo proxy
> servers. As well, note that if you request the handset ID to be sent,
> it's going to prompt the user to make sure that that's ok. You certainly
> don't want this happening on every page!
>
> A less costly check is just to store other header information, such as
> the User-agent, when starting a session, and if that information changes
> during the session, invalidate the session. It's not a perfect check,
> but it will stop casual (and usually accidental) session sharing when
> someone sends a URL to someone else, and will make it a bit more work
> for a malicious attacker.
>
> cjs
> --
> Curt Sampson  <cjs@cynic.net>   +81 90 7737 2974
>
> ***   Contribute to the Keitai Developers' Wiki!   ***
> ***        http://www.keitai-dev.net/wiki/         ***
>
> This mail was sent to address paul@thetamusic.com
> Need archives? How to unsubscribe? http://www.appelsiini.net/keitai-l/

--
*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*F=m(dv/dt)
Paul B. Lester
thetamusic.com(有)
Chief Engineer

EMAIL: paul@thetamusic.com
--
http://www.thetamusic.com/

personal homepage: http://www.purplepaul.com/
personal EMAIL: pbl1@cornell.edu
*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*F=m(dv/dt)
Received on Mon May 30 05:29:27 2005