Re: How to use JSESSIONID on follow-on request without basic auth?
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
---910079544-729544686-1263923403=:7105
Content-Type: TEXT/PLAIN; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8BIT
On Tue, 19 Jan 2010, david.karr wrote:
On Jan 19, 8:36?am, "david.karr" <davidmichaelk...@gmail.com> wrote:
I'm trying to understand some details under the covers of basic auth
and the use of JSESSIONID in webapp security.
On an initial request, I can send an HTTP request with an
Authorization header containing the basic auth encoded value. ?The
server sends back a response along with the JSESSIONID cookie.
Now that I have the JSESSIONID cookie on the client side, is it
possible to form a (successful) secondary request that does not have
the Authorization header, using the JSESSIONID value?
Secondly, is it possible for that secondary request to come from a
different IP than the initial request?
Ok, I think I figured this out. Taking the cookie value and adding
";jsessionid=$value" to the URL will work. I verified that I can make
that secondary request from a different host than the initial
authenticated request, so I think this will work.
Anyone disagree?
I'm surprised it works. Disappointed, even - that doesn't seem very
secure. I suspect it may be implementation-dependent - what's the server
that is being fed the session IDs?
tom
--
There is a faster way to find out...
---910079544-729544686-1263923403=:7105--