Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 95041 invoked from network); 10 Aug 2006 06:49:26 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 10 Aug 2006 06:49:26 -0000 Received: (qmail 80915 invoked by uid 500); 10 Aug 2006 06:49:14 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 80892 invoked by uid 500); 10 Aug 2006 06:49:14 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 80881 invoked by uid 99); 10 Aug 2006 06:49:13 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 09 Aug 2006 23:49:13 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: domain of thulek@cz.ibm.com designates 195.212.29.153 as permitted sender) Received: from [195.212.29.153] (HELO mtagate4.de.ibm.com) (195.212.29.153) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 09 Aug 2006 23:49:12 -0700 Received: from d12nrmr1607.megacenter.de.ibm.com (d12nrmr1607.megacenter.de.ibm.com [9.149.167.49]) by mtagate4.de.ibm.com (8.13.7/8.13.7) with ESMTP id k7A6moPL041628 for ; Thu, 10 Aug 2006 06:48:50 GMT Received: from d12av04.megacenter.de.ibm.com (d12av04.megacenter.de.ibm.com [9.149.165.229]) by d12nrmr1607.megacenter.de.ibm.com (8.13.6/8.13.6/NCO v8.1.1) with ESMTP id k7A6qV2P146882 for ; Thu, 10 Aug 2006 08:52:31 +0200 Received: from d12av04.megacenter.de.ibm.com (loopback [127.0.0.1]) by d12av04.megacenter.de.ibm.com (8.12.11.20060308/8.13.3) with ESMTP id k7A6moYh009355 for ; Thu, 10 Aug 2006 08:48:50 +0200 Received: from d12ml971.megacenter.de.ibm.com (d12ml971.megacenter.de.ibm.com [9.149.164.167]) by d12av04.megacenter.de.ibm.com (8.12.11.20060308/8.12.11) with ESMTP id k7A6moXo009350 for ; Thu, 10 Aug 2006 08:48:50 +0200 In-Reply-To: Subject: Re: Session hijacking with Tomcat/Myfaces - unable to fix it To: "Tomcat Users List" X-Mailer: Lotus Notes Release 7.0 HF242 April 21, 2006 Message-ID: From: Tomas Hulek Date: Thu, 10 Aug 2006 08:48:49 +0200 X-MIMETrack: Serialize by Router on D12ML971/12/M/IBM(Release 6.5.5HF607 | June 26, 2006) at 10/08/2006 08:52:30 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Unfortunately, the fundamentally bad security scheme is how the JS API specification is implemented in Tomcat (when using form-based authentication). When processing a form-based authetication request under HTTPS, Tomcat retains the session ID allocated under HTTP. We have tried invalidating the session and creating a new one once the user hits the login form/HTTPS. However, once you invalidate the session in the login form Tomcat forgets which URL the user wanted to see and tries to display the "j_security_check", which fails, naturally. Any hints how to fix it? Tomas "Kim Albee" wrote on 10.08.2006 03:06:53: > It's a fundamentally bad security scheme to use the session-ID as the > identifier for your users. Might be straight forward, but architecturally a > bad choice if you *really* want a secure area. > > Kim :-) > > On 8/9/06, Tomas Hulek wrote: > > > > The default Tomcat installation is prone to session hijacking. I would > > appreciate help how to fix it. > > > > The problem is that the session-id generated under HTTP (eg. for any JSF > > page) is caried over to authenticated confidential pages under HTTPS. > > > > Thus the session ID can be easily sniffed under HTTP, then misused after > > user logs-in under HTTPS. > > > > I believe it can be considered as a serious security bug. > > > > Scenario: > > > > 1) Tomcat and JSF, using Apache MyFaces. > > > > 2) A single application (context), using JSF pages > > > > 3) Some pages are public, and Faces servlet requests session ID on the > > first hit > > > > 4) Some pages are only accessible under HTTPS after authetication, as > > defined in web.xml: > > > > > > > > Secret part > > /secret/* > > > > > > secret_role > > > > > > CONFIDENTIAL > > > > > > > > 5) Form-based authentication is used for the login (again, defined in > > web.xml). > > > > 6) The user goes to the public part of the aplication, gets a session ID > > (under HTTP) > > > > 7) The user goes to a confidential URL, logging-in successfully. The same > > session ID is retained!!! > > > > 8) Anyone who knows the session ID generated in step 6 can reach the > > confidential URL. > > > > We have not found any straightforward way of making Tomcat regenerate the > > session ID once user swichtes to HTTPS. We tried many approaches, and all > > of them break some part of the JSF application. > > > > > > Thank you for your help, > > > > > > Tomas Hulek > > > > > > --------------------------------------------------------------------- > > To start a new topic, e-mail: users@tomcat.apache.org > > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > > For additional commands, e-mail: users-help@tomcat.apache.org > > > > --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org