Return-Path: Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: (qmail 42632 invoked from network); 12 Jan 2007 08:38:15 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 12 Jan 2007 08:38:15 -0000 Received: (qmail 7244 invoked by uid 500); 12 Jan 2007 08:38:18 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 7197 invoked by uid 500); 12 Jan 2007 08:38:17 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 7186 invoked by uid 500); 12 Jan 2007 08:38:17 -0000 Delivered-To: apmail-jakarta-tomcat-dev@jakarta.apache.org Received: (qmail 7182 invoked by uid 99); 12 Jan 2007 08:38:17 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 12 Jan 2007 00:38:17 -0800 X-ASF-Spam-Status: No, hits=-9.4 required=10.0 tests=ALL_TRUSTED,NO_REAL_NAME,UPPERCASE_25_50 X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO brutus.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 12 Jan 2007 00:38:10 -0800 Received: by brutus.apache.org (Postfix, from userid 33) id 3E7797142FC; Fri, 12 Jan 2007 00:37:50 -0800 (PST) From: bugzilla@apache.org To: tomcat-dev@jakarta.apache.org Subject: DO NOT REPLY [Bug 40222] - Default Tomcat configuration alows easy session hijacking In-Reply-To: X-Bugzilla-Reason: AssignedTo Message-Id: <20070112083750.3E7797142FC@brutus.apache.org> Date: Fri, 12 Jan 2007 00:37:50 -0800 (PST) X-Virus-Checked: Checked by ClamAV on apache.org DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG� RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND� INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=40222 ------- Additional Comments From thulek@cz.ibm.com 2007-01-12 00:37 ------- NO, the problem is that the SessionID, when switching from HTTP to HTTPS remains the same!!! I believe this is a serious security issue and should be dealt with. The attack scenario again: 1) A HTTP page assigns a SessionID 2) Man-in-the-Middle notices the SessionID 3) Upon switch to HTTPS, the SesssionID remains the same. After login to HTTPS secure area the man-in-the-middle is able access all HTTPS pages just using the SessionID obtained. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org