PaulDotCom mailing list archives
Re: Session management
From: Jim Halfpenny <jim.halfpenny () gmail com>
Date: Thu, 4 Nov 2010 08:46:53 +0000
Hi, I'm guessing the cookie name is JSESSIONID, indicating the backend is a Java application server like Tomcat. Here's a little info on JSESSIONID. http://stackoverflow.com/questions/595872/under-what-conditions-is-a-jsessionid-created This cookie is the token that links your browser session with a server-side Java session. It's likely that once you log in a flag is set in your session to say you are authenticated. No need to issue a new cookie, just make changes to the Java session to track your status. Uniqueness depends on the server-specific implementation, some Java app servers may be weaker than others. Jim On 3 November 2010 18:51, k41zen Me <k41zen () me com> wrote:
So the only cookie (JESSIONID) sent is by Firefox right from the very first GET request and this never changes. Could it be using this one? I would expect a new cookie after auth but there isn't one. The server doesn't send anything. I've read a bit around the JESSIONID cookie and how it differs from IE to Firefox and tabbed pages. If it is using this how are they generated? How unique are they? On 3 Nov 2010, at 14:21, Jim Halfpenny wrote:IP authentication is one possible method I've seen in some VOIP devices. Once you send your credentials all requests from your IP are authorised as that user. It could also be taking an existing cookie set when you first visit and reusing this as your authentication token. Are there any other cookies set by this server? Jim On 2 November 2010 21:09, k41zen Me <k41zen () me com> wrote:I'm struggling to see any session management taking place between the browser (Firefox) and a Tomcat app. The server returns no "Set-Cookie" header, there's no session info contained within the URL, the browser isn't sending auth with each request and I can't see any data within the requests that could be providing session info. Is there some other way this could be provided? _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Session management k41zen Me (Nov 03)
- Re: Session management Jim Halfpenny (Nov 03)
- Re: Session management k41zen Me (Nov 03)
- Re: Session management Jim Halfpenny (Nov 04)
- Re: Session management David Porcello (Nov 04)
- Re: Session management k41zen Me (Nov 05)
- Re: Session management Jim Halfpenny (Nov 05)
- Re: Session management Butturini, Russell (Nov 05)
- Re: Session management k41zen Me (Nov 03)
- Re: Session management Jim Halfpenny (Nov 03)