tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Funk <funk...@joedog.org>
Subject Re: Tomcat5 and url tracking hijacking
Date Tue, 27 Jan 2004 18:18:11 GMT
If a user posts a message to a bulletin board that contains a session id - 
expect it to be hijacked.

You could create some simple filters to bind the session to the user's ip 
address (which could break in proxies) or other weak security through 
obscurity approches.

-Tim

Marc Hughes wrote:

> I don't see how https would help. Someone posting a url to a newsgroup 
> along the lines of either of these
> 
> https://somesite/jsessionid=94823904823908432098
> http://somesite/jsessionid=94823904823908432098
> would still hijack the session, no?  Could you elaborate on how ssl 
> would help?
> Cookie hijacking is far less likely since a user is very unlikely to 
> post their cookie data somewhere.  An attacker would have to guess the 
> sessionID.  The sessionID is securely generated so it can't easily be 
> predicted before hand (right?).
> I'm sure preventing multiple people from using the same session ID if 
> the url is emailed or posted is something lots of people would like to 
> prevent.  I would assume there are good ways of handling it and I'd 
> rather not reinvent the wheel.  Are there any best-practices or design 
> patterns to guide someone?  Maybe restricting url tracking people to a 
> certain ip range, or within a certain tolerance of other info they send 
> back (browser, some other signature, etc.)?
> 
> Thanks,
> -Marc
> 
> 
> Subject:
> Re: Tomcat5 and url tracking hijacking
> From:
> Tim Funk <funkman@joedog.org>
> Date:
> Tue, 27 Jan 2004 09:41:27 -0500
> 
> To:
> Tomcat Users List <tomcat-user@jakarta.apache.org>
> 
> yeah - you'd get that users session. Same problem with cookie hijacking.
> 
> Use https.
> 
> There is nothing defined by the spec to prevent this. (Except https)
> 
> -Tim
> 
> Marc Hughes wrote:
> 
>> Does tomcat 5 use some kind of mechanism to prevent session hijacking 
>> when url session tracking is being used?  For instance, if someone 
>> posts a url to a website with the tracking info in it, will anyone 
>> clicking on that link pick up the original user's session (assuming it 
>> didn't time out yet)?  If it does prevent this, how?
>>
>> If anyone knows of any articles about keeping sessions safe, I'd love 
>> to get pointed to those.
>>
> 
> 
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message