tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GOMEZ Henri <hgo...@slib.fr>
Subject RE: cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/module s/session SessionId.java
Date Mon, 05 Nov 2001 10:22:21 GMT
Excellent idea 

+1

but could we have it enabled in server.xml ?

-
Henri Gomez                 ___[_]____
EMAIL : hgomez@slib.fr        (. .)                     
PGP KEY : 697ECEDD    ...oOOo..(_)..oOOo...
PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6 



>-----Original Message-----
>From: bojan@apache.org [mailto:bojan@apache.org]
>Sent: Monday, November 05, 2001 7:34 AM
>To: jakarta-tomcat-cvs@apache.org
>Subject: cvs commit:
>jakarta-tomcat/src/share/org/apache/tomcat/modules/session
>SessionId.java
>
>
>bojan       01/11/04 22:34:09
>
>  Modified:    src/share/org/apache/tomcat/modules/session 
>SessionId.java
>  Log:
>  Verify SSL Session ID against Tomcat session.\nDisables 
>Tomcat session stealing over SSL.\n\nSince nobody complained 
>about the concept, I took the liberty to do it... Scream if 
>against the rules.
>  
>  Revision  Changes    Path
>  1.15      +25 -0     
>jakarta-tomcat/src/share/org/apache/tomcat/modules/session/Sess
>ionId.java
>  
>  Index: SessionId.java
>  ===================================================================
>  RCS file: 
>/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/modules/se
>ssion/SessionId.java,v
>  retrieving revision 1.14
>  retrieving revision 1.15
>  diff -u -r1.14 -r1.15
>  --- SessionId.java	2001/09/01 00:53:43	1.14
>  +++ SessionId.java	2001/11/05 06:34:09	1.15
>  @@ -235,6 +235,31 @@
>   	    if( sess!=null ) break;
>   	}
>   
>  +        /* The following block of code verifies if Tomcat 
>session matches
>  +           SSL session (if one was ever passed to Tomcat). 
>Just in case
>  +           somebody is trying to steal Tomcat sessions over SSL.
>  +           We can't verify that if SSL is not used. */
>  +
>  +        if(sess != null && request.isSecure() ){ // Request 
>is over SSL
>  +          // SSL session ID from session and request - they 
>have to be equal!
>  +          String 
>ids=(String)sess.getAttribute("javax.servlet.request.ssl_session"),
>  +                 
>idr=(String)request.getAttribute("javax.servlet.request.ssl_session");
>  +
>  +          if(debug>0) cm.log("Request SSL ID="+idr+", 
>Session SSL ID="+ids);
>  +
>  +          if(idr != null){ // Only do this if there is an 
>SSL session ID
>  +            if(ids != null){ // Do we have a stored SSL 
>session ID from before?
>  +              if(!ids.equals(idr)){ // Is someone cheating?
>  +                sess=null; // No sessions for thugs
>  +                cm.log("SECURITY WARNING: SSL session "+idr+
>  +                       " doesn't match Tomcat session 
>"+sessionId+"!");
>  +              }
>  +            } else { // First time, save the SSL session ID
>  +              
>sess.setAttribute("javax.servlet.request.ssl_session",idr);
>  +            }
>  +          }
>  +        }
>  +
>   	if (sess != null) {
>   	    request.setRequestedSessionId( sessionId );
>   	    request.setSessionIdSource( source );
>  
>  
>  
>
>--
>To unsubscribe, e-mail:   
<mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>

--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message