tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Akoulov, Alexandre [IT]" <>
Subject Tomcat security realms question
Date Fri, 15 Jul 2005 06:32:54 GMT

 Hi all
 I have a problem that's been raised by my security team to do with using Tomcat JDBCRealms.
We're using such realms to protect restricted resources. We also have a custom login form.
The steps Tomcat seems to follow when using such a setup is:
 1. Check to see if the user is logged in with access to the restricted resource.
 2. If they aren't, forward them to the login page and create an HTTPSession to keep track
of that user.
 3. Once they've logged in, add the authentication system to the HTTPSession created in step
2 to hold that info and forward them to the resource.
 4. Continue using the same HTTPSession to maintain state.
 The problem my security team has with this is that someone could potentially steal the users
HTTPSession ID before they've logged in, as this is created in the login screen. e.g. the
user is forwarded to the login screen, then goes to make themselves a cup of coffee. A hacker
goes to their computer and writes down the session ID. The user comes back and logs in, and
the hacker pretends to be them from another computer.
 My question is: how can I avoid this situation and keep the security guys happy? Is it possible
to have the session ID held by the browser (in JSessionID) change post-login (ie make tomcat
invalidate the current session and create a new session after the user has been successfully
 Thanks for your help.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message