tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject svn commit: r892545 - in /tomcat/tc6.0.x/trunk: ./ java/org/apache/catalina/ java/org/apache/catalina/authenticator/ java/org/apache/catalina/connector/ java/org/apache/catalina/ha/session/ java/org/apache/catalina/session/ webapps/docs/ webapps/docs/c...
Date Sun, 20 Dec 2009 01:04:18 GMT
Author: markt
Date: Sun Dec 20 01:04:17 2009
New Revision: 892545

URL: http://svn.apache.org/viewvc?rev=892545&view=rev
Log:
Address https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
Prevent session fixation by changing session ID on authentication by default

Modified:
    tomcat/tc6.0.x/trunk/   (props changed)
    tomcat/tc6.0.x/trunk/STATUS.txt
    tomcat/tc6.0.x/trunk/java/org/apache/catalina/Manager.java
    tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
    tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java
    tomcat/tc6.0.x/trunk/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java
    tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/ManagerBase.java
    tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
    tomcat/tc6.0.x/trunk/webapps/docs/config/valve.xml

Propchange: tomcat/tc6.0.x/trunk/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Sun Dec 20 01:04:17 2009
@@ -1,2 +1,2 @@
 /tomcat:883362
-/tomcat/trunk:601180,606992,612607,630314,640888,652744,653247,666232,673796,673820,677910,683969,683982,684001,684081,684234,684269-684270,685177,687503,687645,689402,690781,691392,691805,692748,693378,694992,695053,695311,696780,696782,698012,698227,698236,698613,699427,699634,701355,709294,709811,709816,710063,710066,710125,710205,711126,711600,712461,712467,713953,714002,718360,719119,719124,719602,719626,719628,720046,720069,721040,721286,721708,721886,723404,723738,726052,727303,728032,728768,728947,729057,729567,729569,729571,729681,729809,729815,729934,730250,730590,731651,732859,732863,734734,740675,740684,742677,742697,742714,744160,744238,746321,746384,746425,747834,747863,748344,750258,750291,750921,751286-751287,751289,751295,753039,757335,757774,758249,758365,758596,758616,758664,759074,761601,762868,762929,762936-762937,763166,763183,763193,763228,763262,763298,763302,763325,763599,763611,763654,763681,763706,764985,764997,765662,768335,769979,770716,770809,77
 0876,772872,776921,776924,776935,776945,777464,777466,777576,777625,778379,778523-778524,781528,781779,782145,782791,783316,783696,783724,783756,783762,783766,783863,783934,784453,784602,784614,785381,785688,785768,785859,786468,786487,786490,786496,786667,787627,787770,787985,789389,790405,791041,791184,791194,791224,791243,791326,791328,791789,792740,793372,793757,793882,793981,794082,794673,794822,795043,795152,795210,795457,795466,797168,797425,797596,797607,802727,802940,804462,804544,804734,805153,809131,809603,810916,810977,812125,812137,812432,813001,813013,813866,814180,814708,814876,815972,816252,817442,817822,819339,819361,820110,820132,820874,820954,821397,828196,828201,828210,828225,828759,830378-830379,830999,831106,831774,831785,831828,831850,831860,832218,833121,833545,834047,835036,835336,836405,881396,881412,883130,883146,883177,883362,885038,885991,886019,888072,889363,890349,890417,891583,892198
+/tomcat/trunk:601180,606992,612607,630314,640888,652744,653247,666232,673796,673820,677910,683969,683982,684001,684081,684234,684269-684270,685177,687503,687645,689402,690781,691392,691805,692748,693378,694992,695053,695311,696780,696782,698012,698227,698236,698613,699427,699634,701355,709294,709811,709816,710063,710066,710125,710205,711126,711600,712461,712467,713953,714002,718360,719119,719124,719602,719626,719628,720046,720069,721040,721286,721708,721886,723404,723738,726052,727303,728032,728768,728947,729057,729567,729569,729571,729681,729809,729815,729934,730250,730590,731651,732859,732863,734734,740675,740684,742677,742697,742714,744160,744238,746321,746384,746425,747834,747863,748344,750258,750291,750921,751286-751287,751289,751295,753039,757335,757774,758249,758365,758596,758616,758664,759074,761601,762868,762929,762936-762937,763166,763183,763193,763228,763262,763298,763302,763325,763599,763611,763654,763681,763706,764985,764997,765662,768335,769979,770716,770809,77
 0876,772872,776921,776924,776935,776945,777464,777466,777576,777625,778379,778523-778524,781528,781779,782145,782791,783316,783696,783724,783756,783762,783766,783863,783934,784453,784602,784614,785381,785688,785768,785859,786468,786487,786490,786496,786667,787627,787770,787985,789389,790405,791041,791184,791194,791224,791243,791326,791328,791789,792740,793372,793757,793882,793981,794082,794673,794822,795043,795152,795210,795457,795466,797168,797425,797596,797607,802727,802940,804462,804544,804734,805153,809131,809603,810916,810977,812125,812137,812432,813001,813013,813866,814180,814708,814876,815972,816252,817442,817822,819339,819361,820110,820132,820874,820954,821397,828196,828201,828210,828225,828759,830378-830379,830999,831106,831774,831785,831828,831850,831860,832218,833121,833545,834047,835036,835336,836405,881396,881412,883130,883146,883177,883362,885038,885991,886019,888072,889363,889716,890349,890417,891583,892198,892415

Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=892545&r1=892544&r2=892545&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Sun Dec 20 01:04:17 2009
@@ -322,22 +322,6 @@
   +1: markt, rjung
   -1: 
 
-* Address https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
-  Prevent session fixation by changing session ID on authentication by default
-  If you don't like the session ID changing by default, feel free to caveat your
-  vote. If there is suggicient support for the patch but insufficient support
-  for changing the ID by default I'll apply the patch with the default set to
-  not change the session ID
-  http://svn.apache.org/viewvc?rev=889716&view=rev
-  +1: markt, jfclere, jim
-  -1: kkolinko: -1 if alone, +1 if committed together with rev.892415
-    proposed below.
-
-  Provide setter for the new AuthenticatorBase property
-  http://svn.apache.org/viewvc?rev=892415&view=rev
-  +1: kkolinko, rjung, markt
-  -1:
-
 * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=43656
   Coerce null to zero when target type in Number
   http://svn.apache.org/viewvc?rev=890139&view=rev

Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/Manager.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/Manager.java?rev=892545&r1=892544&r2=892545&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/Manager.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/Manager.java Sun Dec 20 01:04:17 2009
@@ -260,6 +260,15 @@
 
 
     /**
+     * Change the session ID of the current session to a new randomly generated
+     * session ID.
+     * 
+     * @param session   The session to change the session ID for
+     */
+    public void changeSessionId(Session session);
+    
+    
+    /**
      * Get a session from the recycled ones or create a new empty one.
      * The PersistentManager manager does not need to create session data
      * because it reads it from the Store.

Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java?rev=892545&r1=892544&r2=892545&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java Sun
Dec 20 01:04:17 2009
@@ -37,6 +37,7 @@
 import org.apache.catalina.Lifecycle;
 import org.apache.catalina.LifecycleException;
 import org.apache.catalina.LifecycleListener;
+import org.apache.catalina.Manager;
 import org.apache.catalina.Pipeline;
 import org.apache.catalina.Realm;
 import org.apache.catalina.Session;
@@ -113,6 +114,12 @@
 
 
     /**
+     * Should the session ID, if any, be changed upon a successful
+     * authentication to prevent a session fixation attack?
+     */
+    protected boolean changeSessionIdOnAuthentication = true;
+    
+    /**
      * The Context to which this Valve is attached.
      */
     protected Context context = null;
@@ -366,6 +373,31 @@
         this.securePagesWithPragma = securePagesWithPragma;
     }    
 
+    /**
+     * Return the flag that states if we should change the session ID of an
+     * existing session upon successful authentication.
+     * 
+     * @return <code>true</code> to change session ID upon successful
+     *         authentication, <code>false</code> to do not perform the change.
+     */
+    public boolean getChangeSessionIdOnAuthentication() {
+        return changeSessionIdOnAuthentication;
+    }
+
+    /**
+     * Set the value of the flag that states if we should change the session ID
+     * of an existing session upon successful authentication.
+     * 
+     * @param changeSessionIdOnAuthentication
+     *            <code>true</code> to change session ID upon successful
+     *            authentication, <code>false</code> to do not perform the
+     *            change.
+     */
+    public void setChangeSessionIdOnAuthentication(
+            boolean changeSessionIdOnAuthentication) {
+        this.changeSessionIdOnAuthentication = changeSessionIdOnAuthentication;
+    }
+
     // --------------------------------------------------------- Public Methods
 
 
@@ -499,6 +531,7 @@
                  */
                 return;
             } 
+            
         }
     
         if (log.isDebugEnabled()) {
@@ -712,6 +745,13 @@
         request.setUserPrincipal(principal);
 
         Session session = request.getSessionInternal(false);
+        
+        if (session != null && changeSessionIdOnAuthentication) {
+            Manager manager = request.getContext().getManager();
+            manager.changeSessionId(session);
+            request.changeSessionId(session.getId());
+        }
+
         // Cache the authentication information in our session, if any
         if (cache) {
             if (session != null) {

Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java?rev=892545&r1=892544&r2=892545&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java Sun Dec 20 01:04:17
2009
@@ -2234,6 +2234,50 @@
 
 
     /**
+     * Change the ID of the session that this request is associated with. There
+     * are several things that may trigger an ID change. These include moving
+     * between nodes in a cluster and session fixation prevention during the
+     * authentication process.
+     * 
+     * @param session   The session to change the session ID for
+     */
+    public void changeSessionId(String newSessionId) {
+        // This should only ever be called if there was an old session ID but
+        // double check to be sure
+        if (requestedSessionId != null && requestedSessionId.length() > 0) {
+            requestedSessionId = newSessionId;
+        }
+        
+        if (context != null && !context.getCookies())
+            return;
+        
+        if (response != null) {
+            Cookie newCookie = new Cookie(Globals.SESSION_COOKIE_NAME,
+                    newSessionId);
+            newCookie.setMaxAge(-1);
+            String contextPath = null;
+            if (!response.getConnector().getEmptySessionPath()
+                    && (context != null)) {
+                contextPath = context.getEncodedPath();
+            }
+            if ((contextPath != null) && (contextPath.length() > 0)) {
+                newCookie.setPath(contextPath);
+            } else {
+                newCookie.setPath("/");
+            }
+            if (isSecure()) {
+                newCookie.setSecure(true);
+            }
+            if (context == null) {
+            	response.addCookieInternal(newCookie, false);
+            } else {
+            	response.addCookieInternal(newCookie, context.getUseHttpOnly());
+            }
+        }
+    }
+
+    
+    /**
      * Return the session associated with this Request, creating one
      * if necessary and requested.
      *

Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java?rev=892545&r1=892544&r2=892545&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java Sun
Dec 20 01:04:17 2009
@@ -402,9 +402,8 @@
      *            new session id for node migration
      */
     protected void changeRequestSessionID(Request request, Response response, String sessionId,
String newSessionID) {
-        request.setRequestedSessionId(newSessionID);
-        if(request.isRequestedSessionIdFromCookie())
-            setNewSessionCookie(request, response,newSessionID);
+        request.changeSessionId(newSessionID);
+
         // set orginal sessionid at request, to allow application detect the
         // change
         if (sessionIdAttribute != null && !"".equals(sessionIdAttribute)) {
@@ -447,6 +446,8 @@
      * @param request current request
      * @param response Tomcat Response
      * @param sessionId The session id
+     * 
+     * @deprecated Use {@link Request#changeSessionId(String)}
      */
     protected void setNewSessionCookie(Request request,
                                        Response response, String sessionId) {

Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/ManagerBase.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/ManagerBase.java?rev=892545&r1=892544&r2=892545&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/ManagerBase.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/ManagerBase.java Sun Dec 20 01:04:17
2009
@@ -924,6 +924,17 @@
     }
 
 
+    /**
+     * Change the session ID of the current session to a new randomly generated
+     * session ID.
+     * 
+     * @param session   The session to change the session ID for
+     */
+    public void changeSessionId(Session session) {
+        session.setId(generateSessionId());
+    }
+    
+    
     // ------------------------------------------------------ Protected Methods
 
 

Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=892545&r1=892544&r2=892545&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Sun Dec 20 01:04:17 2009
@@ -86,7 +86,11 @@
       </fix>
       <fix>
         <bug>44943</bug>: Use the same engine name in server.xml comments to
-        reduce copy and pastes issues. (markt, kkolinko)
+        reduce copy and pastes issues. (markt/kkolinko)
+      </fix>
+      <fix>
+        <bug>45255</bug>: Provide protection against session fixation by
+        changing session ID automatically on authentication. (markt/kkolinko)
       </fix>
       <fix>
         <bug>45403</bug>: Add additional checks on web application deployment

Modified: tomcat/tc6.0.x/trunk/webapps/docs/config/valve.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/config/valve.xml?rev=892545&r1=892544&r2=892545&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/config/valve.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/config/valve.xml Sun Dec 20 01:04:17 2009
@@ -436,6 +436,13 @@
         <strong>org.apache.catalina.authenticator.BasicAuthenticator</strong>.</p>
       </attribute>
 
+      <attribute name="changeSessionIdOnAuthentication" required="false">
+        <p>Controls if the session ID is changed if a session exists at the
+        point where users are authenticated. This is to prevent session fixation
+        attacks. If not set, the default value of <code>true</code> will be
+        used.</p>
+      </attribute>
+
       <attribute name="disableProxyCaching" required="false">
         <p>Controls the caching of pages that are protected by security
         constraints. Setting this to <code>false</code> may help work around
@@ -488,6 +495,13 @@
         <strong>org.apache.catalina.authenticator.DigestAuthenticator</strong>.</p>
       </attribute>
 
+      <attribute name="changeSessionIdOnAuthentication" required="false">
+        <p>Controls if the session ID is changed if a session exists at the
+        point where users are authenticated. This is to prevent session fixation
+        attacks. If not set, the default value of <code>true</code> will be
+        used.</p>
+      </attribute>
+
       <attribute name="disableProxyCaching" required="false">
         <p>Controls the caching of pages that are protected by security
         constraints. Setting this to <code>false</code> may help work around
@@ -540,6 +554,13 @@
         <strong>org.apache.catalina.authenticator.FormAuthenticator</strong>.</p>
       </attribute>
 
+      <attribute name="changeSessionIdOnAuthentication" required="false">
+        <p>Controls if the session ID is changed if a session exists at the
+        point where users are authenticated. This is to prevent session fixation
+        attacks. If not set, the default value of <code>true</code> will be
+        used.</p>
+      </attribute>
+
       <attribute name="characterEncoding" required="false">
         <p>Character encoding to use to read the username and password parameters
         from the request. If not set, the encoding of the request body will be
@@ -598,6 +619,13 @@
         <strong>org.apache.catalina.authenticator.SSLAuthenticator</strong>.</p>
       </attribute>
 
+      <attribute name="changeSessionIdOnAuthentication" required="false">
+        <p>Controls if the session ID is changed if a session exists at the
+        point where users are authenticated. This is to prevent session fixation
+        attacks. If not set, the default value of <code>true</code> will be
+        used.</p>
+      </attribute>
+
       <attribute name="disableProxyCaching" required="false">
         <p>Controls the caching of pages that are protected by security
         constraints. Setting this to <code>false</code> may help work around



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message