User induced session stomping?
Paul Hethmon
paul.hethmon at clareitysecurity.com
Mon Aug 27 12:00:06 EDT 2012
On 8/27/12 11:52 AM, "Cantor, Scott" <cantor.2 at osu.edu> wrote:
>On 8/27/12 11:48 AM, "Kevin P. Foote" <kpfoote at iup.edu> wrote:
>>
>>I am seeing more of this (as well) during this fall startup than in the
>>past. Maybe just a user thing. Users are trying to jump ahead of
>>themselves
>>and multi-task for some reason. :-)
>
>Is there a way to distinguish that case from the IMHO more common case of
>a back button going back over the login servlet?
Seems like you could see that the user has an existing session at that
point (on the submittal of the old login form). So you skip the login
handling and process it as a SSO request. Not sure where they would
happen, I think in the login handler. It also might be some code in the
login servlet though.
Would have to think hard whether that case is safe to handle that way.
Paul
More information about the users
mailing list