[Building Sakai] access/.../WebServlet.setSession question in Sakai 2.4.x
Casey Dunn
caseyd.stan at gmail.com
Sat Mar 7 07:35:25 PST 2009
On Sat, Mar 7, 2009 at 1:10 AM, Stephen Swinsburg <
s.swinsburg at lancaster.ac.uk> wrote:
> Hi Casey,
> Can't help you with your problem sorry but regarding finding a recent
> session with the matching ID then re-establishing it, this could be a
> security concern as one could attempt to guess/modify a session ID and be
> logged in as someone else. I guess that is possible now, someone could
> attempt to guess their session, but if they have timed out, as far as I
> know, they aren't revived so it's ok.
> cheers,
> Steve
>
Hey Steve -
yes it is; before public discussion I explained this to the the mgt
concerned and got a write off.
and yes the existing Sakai functionality has this problem. If one had a
session one could ride right in.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20090307/7f7b8f5f/attachment.html
More information about the sakai-dev
mailing list