tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 40222] - Default Tomcat configuration alows easy session hijacking
Date Tue, 26 Dec 2006 19:31:47 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40222>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=40222





------- Additional Comments From thulek@cz.ibm.com  2006-12-26 11:31 -------
(In reply to comment #1)
> Are you sure the same session is indeed carried over?  I thought we'd
> implemented the opposite (new session when moving from HTTP to HTTPS), quite
> purposefully for security, as far back as Tomcat 3.x.  See for example


Yes, I am sure. The problem can be demonstrated like this:

1) Using HTTP, go to an insecure page which assigns a JSESSIONID (eg. any JSF page)

2) Notice the JSESSIONID (which can be sniffed on the network by man-in-the-middle)

3) Go to an authenticated HTTPS page (eg. via form-based login). Look at the
"secure data".

The JSESSIONID is still the same!

4) From another computer, write the URL of the authenticated page including the
JSESSIOND obtained in step 2 above. Bingo - the hacker is in!

In order to circumvent the problem, we had to insert code into the login page
which invalidates previously assigned session, loosing all session info.

An easy fix in Tomcat would be to change (or append) the JSESSIONID upon
switching from HTTP to HTTPS. Switching from HTTPS to HTTP is already forbidden
as you mention, which is correct.

Tomas


-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message