Session Tracking Security - Session Takeover?
843840Sep 26 2002 — edited Oct 1 2002My HttpServlet uses Session Tracking by using the HttpSession Object. As far as i know, if the Client Browser doesn't allow/support cookies, the HttpSession object automaticly uses URL ReWriting for Sessionidentification and therefor adds the sessionid as a param/key to the URL (instead of saving it to a cookie when cookie is available).
In the ReWriting case, i can think of a situation where user B can get the sessionid of user A. So if - which way ever - user B get's user A's sessionID, user B could take over the session of user A. Is this really possible?
If yes, this would be a major security hole in my eyes. Then i would think of implementing kind of HttpSession/IP identification by storing the the Client IP in the HttpSession object on the first request (where the session get's created) and check the IP upon each following request. This would give a little bit more security, but still not enough to be absolutely sure sessions can't been taken over? Any better ideas?